Honeypots mailing list archives
Re: Introducing the Tactical Honeynet Deployment Project
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Tue, 02 Sep 2003 01:45:39 -0400
Tom Britten wrote:
> The other part of
the solution does lie in convincing them that this is a real valuable host.
One of the tricks I like to play is to give the box some menial production role, say a secondary name server. This gets the host out there as being a legit system, quiets people's nerves about "entrapment" issues, and does it on a box that if you need to bring it down it has minimal impact on production (note: don't do this with your one and only secondary NS ;-)
Further more, a lot of blackhats are doing the same research that we are but in reverse. And this affects the type of hosts that they attack, as inthey aren't looking for a machine that every possible exploit on it.
Its a numbers game. The same way there are tons of people on the white hat side, but only a small subset that really know their stuff, there are few true black hats compared to all the script kiddie noise. I believe this is why Lance has pushed so hard to grow the Honeynet. The more sensors/honeypots out there and the more diverse the landscape they are installed on, the more likely it is that you will tag something interesting.
These are people building there own exploits or discovering ones that we don't yet know about. My two cents. ^_^
But that does not mean people are not finding them.Look at it this way, let's say security professional Billy Bob Fubar sets up a honeypot that gets hit with a 0-day. They reverse engineer it and figure out how the black hat got in. Now they have two choices:
1) Release the exploit info and take credit for the find 2) Release the exploit and give credit to the black hatIf Billy Bob Fubar goes with option #1 it brings him respect within the community and its not like the black hat is going to stand up and say "Hey he didn't find that, I've been whacking systems with that exploit for years!".
So while it may *seem* like honeypots are only catching the noise, that may not necessarily always be the case.
The last comment I would make is that most of the things that set people off about whether or not a system is real is almost impossible to hide. The only way to truly do this would be to build a new distro that has all the features in it, for it is very difficult to transform a current distro. Start with LFS and slowly work your way up adding bogus commands andservices.
Depends on what you are trying to achieve. The way I see it, there are three categories you can analyze here:
1) How did they break in? 2) How did they root the box? 3) What is their motivation?If the box is bogus but you can't tell till you get in, you will still catch #1. If you are going for #2, you are right. The box has to look legit. As for #3, you typically need to have them playing on the box for a while to figure this one out. To be honest, I think the great work done by Lance and others has done a wonderful job of already answering that one.
So from my perspective, the most important category (how are they breaking in?) will still get caught even if the system does not look "perfect". so long as the system fingerprints properly and the banners look legit, you are cooking with gas.
HTH, C
Current thread:
- Introducing the Tactical Honeynet Deployment Project Michael Anuzis (Aug 30)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Greg Tracy (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Damian Menscher (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Lance Spitzner (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Thomas Jones (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 02)
- <Possible follow-ups>
- Re: Introducing the Tactical Honeynet Deployment Project Jeremy Pierson (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project JPP (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)