Re: Question about Dynamic Honeypots.

[Patrick Dolan <dolan () unt edu>]

On Monday 22 September 2003 12:52 am, Mahdi samadi wrote:
> Dear Freinds,
> I studied an article by Lance at http://www.securityfocus.com/infocus/1731
> but i thinks that its idea does not working in some conditions,
> for example, i think that passive fingerprinting not works in networks
> that have swiths,
> Are you have an idea in this situation? (arp spoofing is one solution but
> it seems that is not good solution)

Assuming you meant 'switches' here, what you would need to do is mirror the 
inside interface on your core router, and have a monitor machine analyzing 
it.  This way you will see all the traffic and not interefere with its flow.  
Like you have noticed, plugging it into the network at some random spot will 
mostly give you only broadcast traffic on a switched network.

> I have also another question? i think that there will be another feature
> for future honeypot/nets, they must plug into networks and attract all
> anomaly/malicous traffics to ourself.
> At the least it must redirect the attacks traffic to itself. I am be so
> glad to know your ideas about my notes,
> await for your response,
> Accept my greetings,
> Regards,
> --samadi

An interesting idea in theory, but in practice it wouldn't be very achievable.  
You can't direct all attack traffic to a specific host or network without 
knowing every type of attack traffic out there.  In addition, some legitimate 
traffic looks suspicious.  Moreover, you don't know what the newest exploits 
are going to look like until they've already hammered networks.

-- 
Patrick Dolan
UNT Computing and Information Technology Center

PGP ID: E5571154
Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0  6F8D B13B 2456 E557 1154