Honeypots mailing list archives
RE: About Data Control
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Fri, 17 Jan 2003 13:33:21 -0500
Well, My honeypot is currently inside of my internal network. I have it on its own internal private subnet separated from all my other machines. I have my gateway limit X connections per X minutes/seconds outbound from my honeypot. Thus if my machine does get breached while im not watching (which usually - happens) the attacker can't do much with the limitations I empose.+ (I've even have had them to the point of rm'ing my machine :( ). The Honeynet Project (correct me if im wrong) is trying to use snort-inline to block the "stupid" attacks(ie: CodeRed, IIS Unicode, etc.) and other well known attacks to see if they can get something new. Which is a great idea. HTH. Cheers! Alberto Gonzalez. -----Original Message----- From: Martim Carbone [mailto:martim.carbone () ic unicamp br] Sent: Friday, January 17, 2003 1:16 PM To: honeypots () securityfocus com Subject: About Data Control Hi, I am currently working on the Data Control part of my Honeynet, and have already configured Snort-inline to run with the rc.firewall script provided by the Honeynet Project. This configuration could prevent exploit attacks, scans and some DoS attacks. However, there is still one type of "attack" this setup does not prevent. Suppose a random attacker breaks into a random machine A on the Internet, installs a backdoor and then breaks into OUR honeypot. He could effectively use our honeypot as a bounce station and anonymize his connection to his backdoor on host A. And as far as I know, neither snort-inline nor the connection-limiting scheme could prevent him from doing it. Needless to say, this could get the honeynet's administrators into serious trouble if A's administrators find out where the attacker is connecting from. Any ideas on how to prevent this? Thanks, -- Martim
Current thread:
- About Data Control Martim Carbone (Jan 17)
- Re: About Data Control Anton A. Chuvakin (Jan 17)
- Re: About Data Control Johan Augustsson (Jan 18)
- <Possible follow-ups>
- RE: About Data Control Gonzalez, Albert (Jan 17)
- RE: About Data Control mike (Jan 17)
- Fwd: Re: About Data Control Eloi Granado (Jan 27)