Honeypots mailing list archives
Re: results of the first honeyd challenge (dynamic honeynet?)
From: Lance Spitzner <lance () honeynet org>
Date: Mon, 31 Mar 2003 22:09:10 -0600 (CST)
On Mon, 31 Mar 2003, Wim Mees wrote:
Before a dhcp server will hand out a specific IP address, it will first ping the candidate address to verify whether the address is really free (and the receiving DHCP client will typically send an ARP request once more to verify whether the address it received is really really free). Since your arpd is at that time listening on this address, it will reply on ARP requests and ICMP echo requests and the dhcp server will never find an address that is free. It will effectively result in a DoS of your DHCP server.
Interesting point. One way around that (such as with a Honeyd deployment) is simply configure IPTables to block any ICMP requests from the DHCP server. When the DHCP server attempts to ping a potential candidate IP address, it will get no response from the honeypot because the honeypot cannot respond. As such, the IP will be assigned, and the new system will take over the MAC/IP address. Not sure how well this would work, I've never tested it. Actually, a 'friendly' option for Arpd/Honeyd would be useful. Such an option would mean the services do not reply or interact with specific systems based on their IP (such as DHCP servers). lance
Current thread:
- Re: results of the first honeyd challenge (dynamic honeynet?) Lance Spitzner (Mar 31)
- Re: results of the first honeyd challenge (dynamic honeynet?) Wim Mees (Apr 01)
- Re: results of the first honeyd challenge (dynamic honeynet?) Niels Provos (Apr 01)
- Re: results of the first honeyd challenge (dynamic honeynet?) Wim Mees (Apr 01)
- Re: results of the first honeyd challenge (dynamic honeynet?) Niels Provos (Apr 01)
- Re: results of the first honeyd challenge (dynamic honeynet?) Wim Mees (Apr 01)