Re: results of the first honeyd challenge (dynamic honeynet?)

[Lance Spitzner <lance () honeynet org>]

On Mon, 31 Mar 2003, Wim Mees wrote:

> Before a dhcp server will hand out a specific IP address, it will first ping
> the candidate address to verify whether the address is really free (and the
> receiving DHCP client will typically send an ARP request once more to verify
> whether the address it received is really really free). Since your arpd is
> at that time listening on this address, it will reply on ARP requests and
> ICMP echo requests and the dhcp server will never find an address that is
> free. It will effectively result in a DoS of your DHCP server.

Interesting point.  One way around that (such as with a Honeyd deployment)
is simply configure IPTables to block any ICMP requests from the DHCP server.
When the DHCP server attempts to ping a potential candidate IP address,
it will get no response from the honeypot because the honeypot cannot
respond.  As such, the IP will be assigned, and the new system will take
over the MAC/IP address.  Not sure how well this would work, I've never
tested it.

Actually, a 'friendly' option for Arpd/Honeyd would be useful.  Such
an option would mean the services do not reply or interact with specific
systems based on their IP (such as DHCP servers).

lance