Re: Trapping attackers when trying to leave a honeypot

[Valdis.Kletnieks () vt edu]

On Fri, 05 Sep 2003 09:57:38 +0200, Nicolas STAMPF <stampf.bes () free fr>  said:

> If I were in charge of a firewall, I'd block that outgoing connection from the 
> honeypot to outside if it were not "production" necessary. As this has already 
> been said here, configuring hosts just like real ones is the best way to catch 
> attackers.

Yes.. unfortunately, the majority of firewalls are done improperly, or at the very
least much more leniently.

> Idem. I'd say that if some attacker finds a computer widely opened, that would 
> be quite surprising and should ring bells. 

Again - "computer wide open" would probably *not* ring bells with an attacker,
because it's not an unusual case..

> I'd say that a properly configured firewall would only allow you to enter a 
> network (through predefined pathes and using application vulnerabilities), but 
> almost not authorize you to get out, except using specific paths, like SMTP 
> trafic (which you could fake as going out and pretend using an ISP servers 
> which spools emails (hence the hacker could not really on this path for real 
> time communications). Other paths are more problematic to handle, of course: 
> DNS requests, etc.

Actually, if I were an attacker, at *this* point I'd start worrying - if the
site I'm hitting is tightened down so much that the firewall does a fascist job
of stopping *outbound* connections, then it's obviously a security-conscious
site and not a place I want to get caught in.  There's also the question of the
apparent paranoia of the site, when compared to the apparent ease of getting
into the system - if the *site* is tight but the *system* is wide open, that
spells trouble too....

Attachment: _bin
Description: