Honeypots mailing list archives
Re: Trapping attackers when trying to leave a honeypot
From: Valdis.Kletnieks () vt edu
Date: Fri, 05 Sep 2003 11:50:03 -0400
On Fri, 05 Sep 2003 09:57:38 +0200, Nicolas STAMPF <stampf.bes () free fr> said:
If I were in charge of a firewall, I'd block that outgoing connection from the honeypot to outside if it were not "production" necessary. As this has already been said here, configuring hosts just like real ones is the best way to catch attackers.
Yes.. unfortunately, the majority of firewalls are done improperly, or at the very least much more leniently.
Idem. I'd say that if some attacker finds a computer widely opened, that would be quite surprising and should ring bells.
Again - "computer wide open" would probably *not* ring bells with an attacker, because it's not an unusual case..
I'd say that a properly configured firewall would only allow you to enter a network (through predefined pathes and using application vulnerabilities), but almost not authorize you to get out, except using specific paths, like SMTP trafic (which you could fake as going out and pretend using an ISP servers which spools emails (hence the hacker could not really on this path for real time communications). Other paths are more problematic to handle, of course: DNS requests, etc.
Actually, if I were an attacker, at *this* point I'd start worrying - if the site I'm hitting is tightened down so much that the firewall does a fascist job of stopping *outbound* connections, then it's obviously a security-conscious site and not a place I want to get caught in. There's also the question of the apparent paranoia of the site, when compared to the apparent ease of getting into the system - if the *site* is tight but the *system* is wide open, that spells trouble too....
Attachment:
_bin
Description:
Current thread:
- Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 04)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 04)
- Re: Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot Valdis . Kletnieks (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 04)