Honeypots mailing list archives

Re: About Data Control

From: Johan Augustsson <johan.augustsson () adm gu se>
Date: Sat, 18 Jan 2003 13:30:57 +0100

On Fri, Jan 17, 2003 at 04:15:36PM -0200, Martim Carbone wrote:

Hi,

I am currently working on the Data Control part of my Honeynet, and have 
already configured Snort-inline to run with the rc.firewall script 
provided by the Honeynet Project. This configuration could prevent exploit 
attacks, scans and some DoS attacks. However, there is still one type of 
"attack" this setup does not prevent.

Suppose a random attacker breaks into a random machine A on the 
Internet, installs a backdoor and then breaks into OUR honeypot.
He could effectively use our honeypot as a bounce station and 
anonymize his connection to his backdoor on host A. And as far as I know, 
neither snort-inline nor the connection-limiting scheme could prevent 
him from doing it. Needless to say, this  could get the honeynet's administrators 
into serious trouble if  A's administrators find out where the attacker is 
connecting from.

Any ideas on how to prevent this?

Thanks,

-- Martim


Nearly a year ago (2002-01-21) I post some thoughts about traffic
control for outbound traffic from a compromised honeypot. By that day
Snort didn't manage to interact with the router to drop packets but
since my honeypot was on a 100 Mbps connection to the Internet I sure
didn't want them to use the compromised system to attack others with
that capacity.

What I did was to use Traffic Control (TC) in the router/firewall/snort-box.

TC allows you to set the bandwidth for different connections. In my case I 
wanted to learn more about the kids that tracks down anonymous FTP-servers 
with write-access. So I let them have 100 Mbps inbound but only 256 Kbps 
outbound.

That can be used not to prevent your honeypot to attack other systems
but to slow the attack down and minimize the damage. If you start to
block ports for outbound traffic you'll risk to make the intruder
suspicious and he might bail out after destroying the system completely.



Linux Advanced Routing & Traffic Control HOWTO
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.html

My post in 2002:
http://www.securityfocus.com/archive/119/251472

Internet Systematics Lab Honeynet Project thought it was interesting:
http://www.epmhs.gr/honeynet/types_honeynet.htm


Johan Augustsson
--------------------------------------------------------------
Johan Augustsson           Phone: +46 (0)31 773 5361
Incident Response Team     Fax: +46 (0)31 773 1087
Göteborg University        E-mail: Johan.Augustsson(at)adm.gu.se
Sweden
--------------------------------------------------------------

Current thread:

About Data Control Martim Carbone (Jan 17)
- Re: About Data Control Anton A. Chuvakin (Jan 17)
- Re: About Data Control Johan Augustsson (Jan 18)
- <Possible follow-ups>
- RE: About Data Control Gonzalez, Albert (Jan 17)
  - RE: About Data Control mike (Jan 17)
- Fwd: Re: About Data Control Eloi Granado (Jan 27)