Re: IP addresses in honeynet

[Ivan Milovidov <some_help () yahoo com>]

In-Reply-To: <Pine.BSO.4.44.0305010942450.28412-100000 () klake org>

In my opinion it depends on the honeynet general purpose, overall design 
and type of "nodes" behavior.

For the attacker the honeynet looks like a fragment or a whole network 
occupied by people busy with everyday life. If your goal is to fool 
someone into believing the honeynet is your LAN - working with your 
honeynet is almost the same as working with your LAN. Fix problems, one 
after another, and use common sense LAN support logic to stay undetected. 
If your honeynet is changing everything - behavior and IPs - will it look 
suspicious? Is there a real explanation of how this change could have done 
by a LAN admin during business hours? Is there a good reason for the 
change?

If a single honeypot is getting compromised all over again, add something 
to it - a new banner saying this system is watched now and disable 
services with high-risk security; or update them. Another way is to 
replace the OS with something else, but host the same purpose services - 
it creates a vision of LAN admin fixing the problem because he has to keep 
this box functional.

About word spreading in community: it depends what kind of goods your 
system is "offering". If your company name is unknown, Internet connection 
is slow, no interesting data, limited disk space - you have time. If you 
are someone who is well known, with fast connection, useful data, plenty 
of disk space - count minutes before someone else is notified.