Honeypots mailing list archives
Re: Attack/Benign Packet Determination
From: Floydman <floydman () iquebec com>
Date: Fri, 29 Aug 2003 17:05:51 -0400
Steven, as you'll read from my earlier response to the message you sent me, you seem to fail to see the difference between a honeypot and an IDS. I'll make it shorter here, but a honeypot/net is just a set of regular machines, setup on a network of their own. They are not a security device by themselves.
From the attacker's point of view, honeynets and production networks are just similar targets, they have (normally) no way to determine one from the other. There is no device that "determines" which traffic is meant for the honeypot and the prod network; the attack is made either against the honeypot or the prod network.
If a "legitimate user" have a connection to a honeypot from a production network, then this is definetely a no-no, and the honeypot loses all value because it has been tainted by the "legitimate user"'s actions.
An IDS is just a security device that can be applied on networks, prod or honeynets alike. NIDS mostly are based on signatures and rules, which will always allows for some window of opportunity for evasion techniques. This is why the security game can be seen like a race between blackhats and whitehats.
Honeypots/nets can be deployed in a production network (the "Big Brother" watching would be limited to the honeynets environment), but their most value in this setup is as decoys for the attacker and alarm for the response team, but for this to work the attacker has to attack the honetpot first.
Hope this helps. Floydman At 04:19 PM 29/08/2003, Steven DeFord wrote:
I'm new at this, so you'll have to excuse me, but in the handful of white papers I've read, and from reading traffic on this list, I've not seen any clear way that honeypot routers determine what traffic is bad (destined for the honeypot) and which isn't. People on the list seem to assume that "All traffic on the honeynet is inherently an attack," but how does one know which traffic is bad and which isn't? At least, how do you tell any better than an IDS? For example, in a recent post, someone mentioned the fact that a blackhat who's compromised a honeynet host can't get any production information out of sniffing the network, but what if some user's authentication session were misdirected to the honeynet? Then the blackhat could (essentially) passwordsniff legitimate users' logon information, and could then infect production machines more easily. The only benefit of a honeynet, it seems, is improved logging, not due to more accurate packet detection, but simply more loggers. Could not, in theory, one set up a honeynet in the production environment? (Other than the previously-mentioned problem of privacy laws and the like.) Steven DeFord steve () singingtree com _____________________________________________________________________ MSN Messenger, nouvelle version ! Personnalisez vos messages, jouez en ligne et communiquez en temps réel par vidéo! http://ifrance.com/_reloc/m
Current thread:
- Attack/Benign Packet Determination Steven DeFord (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Curt Purdy (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Roger A. Grimes (Aug 29)
- Re: Attack/Benign Packet Determination Floydman (Aug 29)
- Re: Attack/Benign Packet Determination Mcen navaraj (Aug 29)
- Re: Attack/Benign Packet Determination Valdis . Kletnieks (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Curt Purdy (Aug 29)