Re: Introducing the Tactical Honeynet Deployment Project

[Greg Tracy <greg () sixx com>]

Makes sense. But aren't black hats also on the lookout for easy prey/insecure hosts from which they can launch other targeted attacks? And a good honeypot should look like a production server to pull them away from the true targets, right? I would think that df and ps should turn up exactly what would look right for the machine it's supposed to be. Or am I way off base? 

Thanks for replying!
Greg

On Sunday, August 31, 2003, at 08:30 PM, Valdis.Kletnieks () vt edu wrote:

> On Sun, 31 Aug 2003 10:21:39 PDT, greg () sixx com  said:
> > I'm interested in honeypots and tarpits, but I'm also seriously suffering
> > from newbieism.  Why are only script kiddies the ones being caught? What
> > is it that black hats are seeing that keeps them from biting?
>
> The clued black hats are for the most part busy running targeted attacks on
> specific sites.  If you're a black hat planning a run  on Foobar Corp's website
> to harvest some credit card numbers, you're not going to hit Foobar's honeypot
> unless they leave a lot of red herrings that flag the box as a backend server.
>
> And if they DO hit it, they're gonna do a 'df' and a 'ps' and if it doesn't smell
> right, they are OUTTA there./
> <mime-attachment>

<also>

That's a good question. It's not that anything creeps them from biting. It's that there is nothing of value for them to go after. A serious blackhat with a mature technical skill is not going to waste his time with the typical honeypots on residential internet connections. A blackhat that's  going to hack anything worth hacking is going to target a business with an online website or something that will actually give him value to attack.

Thanks,
Greg Tracy

greg () sixx com