Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: An Idea for Discussion for HoneyView

From: Pascal Charest <praetori () step polymtl ca>
Date: Thu, 1 May 2003 10:15:54 -0400 (EDT)

I wonder if this is really applicable. We are speaking of a very high
overhead for little result. I don't think the database would really be
usefull in a production environnement, since you cannot really block a
entire router (we are more than a million here that have as first gateway
one of the videotron.com routeur).

The other problem would be the bandwith asked by this operation, we are
speaking of slowing down the speed of the login to crawl. I would also
wonder if there would be usefull result, since an hacker might decide to
use anonymous proxy, vpn, modified ircbot, hacked computer... all of wich
would compromise your data accuracy.

My 2cents...

Pascal Charest :: Alias: Praetorian
Administrateur du STEP et Coopoly
Gestionnaire de DagWave Media
Ecole Polytechnique de Montreal


On Thu, 1 May 2003, Karl Hable wrote:




I found one lack when analyzing the data captured from
honeyd. You won't get really an idea who maybe the same
person who visited you. It's not possible to decide
this because providers normally give ip-adresses from a
pool to their dialin-users. These ip-pools often span
more class-C nets. so its often in the dark who comes
from the same origin.

So ... you always do the same ... traceroute the ip and
look from where he comes ... but 5min later your won't
remember.

So .. i got the idea to let a cron-job traceroute all
new ip-adresses an store the routing-information also
in honeyview's database.
Now you were able also to query your visitors by the
rule -> list me all guy's coming over Router
aaa.bbb.ccc.ddd

now you see definitly all guy's coming from the same
dialin-point

and you'll see all ip-adresses a certain dialin-point
has in his bag (after a certain amount oft time)

in a production environmet will this give you the
information for defining filterruls for your firewalls
which ip's you proably completly block

i'm intested what you think of this suggestion

karl hable
Previous By Date Next
Previous By Thread Next

Current thread: