Honeypots mailing list archives

Re: results of the first honeyd challenge (dynamic honeynet?)

From: "Wim Mees" <Wim.Mees () vision rma ac be>
Date: Mon, 31 Mar 2003 15:35:12 +0200


Before a dhcp server will hand out a specific IP address, it will first ping
the candidate address to verify whether the address is really free (and the
receiving DHCP client will typically send an ARP request once more to verify
whether the address it received is really really free). Since your arpd is
at that time listening on this address, it will reply on ARP requests and
ICMP echo requests and the dhcp server will never find an address that is
free. It will effectively result in a DoS of your DHCP server.

Wim

----- Original Message -----
From: "Compton, Rich" <RCompton () chartercom com>
To: <honeypots () securityfocus com>
Sent: Monday, March 31, 2003 8:09 AM
Subject: RE: results of the first honeyd challenge (dynamic honeynet?)

Reading all of the great entries from the honeyd challenge gave me an idea
for a dynamic honeynet.  The problem that I have implementing a honeypot

is

that it takes up IPs.  I have to reconfigure the honeypot as soon as I

need

one of those IPs that's assigned on the honeypot. Wouldn't it be nice to
have a honeynet that looks for IPs in a subnet that are not used (maybe by
trying to ping them) and then creates a honeynet for just those IPs.
The honeypot could then see when one of those IPs are being used and

remove

it from its configuration.
I'm not sure how it would identify IPs being used when an IP gets

statically

assigned (maybe thru arp?) but I've got an idea on how to identify when

IPs

are in use in a enviroment with dhcp.  The honeypot could be running snort
and be looking for bootp messages from the dhcp server.  When snort sees a
dhcp offer for a particular IP it could log it and then something like
logwatch could fire off a script to reconfigure honeyd with a modified
config file removing that IP.
In this way, the honeynet could dynamically grow or contract based on the
supply of unused IPs.
Maybe this could also work with the labrea tarpit?

Any thoughts?

-Rich Compton

Current thread:

RE: results of the first honeyd challenge (dynamic honeynet?) Compton, Rich (Mar 31)
- RE: results of the first honeyd challenge (dynamic honeynet?) Jose Nazario (Mar 31)
- RE: results of the first honeyd challenge (dynamic honeynet?) Mario Sergio Jr. (Mar 31)
- Re: results of the first honeyd challenge (dynamic honeynet?) Wim Mees (Mar 31)