Re: Trapping attackers when trying to leave a honeypot

[George Washington Dunlap III <dunlapg () umich edu>]

On Fri, 5 Sep 2003, Nicolas STAMPF wrote:

> If I were in charge of a firewall, I'd block that outgoing connection
> from the honeypot to outside if it were not "production" necessary. As
> this has already been said here, configuring hosts just like real ones
> is the best way to catch attackers.

Yes, I guess my view is somewhat skewed by the environment I've been in 
for the last eight years -- a university, where all the computers have 
static IPs and are exposed directly to the wilds of the internet.  

I also rather misread your first e-mail; you weren't talking about
simulating the rest of the internet, but rather the rest of your own net.  
I guess the question is, what's the difference between what you describe
and a honeynet?  I.e., just set up a network of honeypots and let the
attacker muck around in there?

If you're simulating computers that he can get to from the outside, then 
he can still do some cross-examination stuff, though perhaps more limited 
because of your firewall.  And if everyone's setup is different enough, it 
means each attacker will have to craft is cross-examination to your 
particular system, and there's always the hope that he'll forget or screw 
it up somehow.

Peace,
 -George

-- 
+-------------------+----------------------------------------
| dunlapg () umich edu | http://www-personal.umich.edu/~dunlapg 
+-------------------+----------------------------------------
| ...there be many, many ancient systems in the world, and it 
| is the decree of the dreaded god Murphy that thy next 
| employment just might be on one.  While thou sleepest, he 
| plotteth against thee.  Awake and take care.
|   - Henry Spencer, "The Ten Commandments for C Programmers"
+------------------------------------------------------------
| Outlaw Junk Email! Support HR 1748 (www.cauce.org)