Re: Dynamic honeypots question??

[Kostas K <acezerocool () yahoo com>]

In-Reply-To: <200309290541.h8T5fstH013954 () turing-police cc vt edu>

But let's think this through.  We're making an assumption that the attacker is
*somewhere* on the skill continuum.  Now if they're a script kiddie, they
probably won't even notice *active* fingerprinting.  If they're a clued
attacker, they've learned (hopefully) enough about target selection that your
honeypot won't be visited by them at all, unless it's as a steppingstone
machine to the real target.

Or phrased differently, if the attacker is smart enough to notice fingerprinting,
why did he fall for your honeypot at all?  Why/how did he select it as a target,
and what's his motivation for being there in the first place?

--An attacker could learn about the target only if the target had a real IP, otherwise if the HP was located at the LAN 
i would say that is a bit difficult. The HP you are describing sounds more like a production HP rather than a research. 
Is that really what we want because a low interaction HP could meet the requirments for a production HP. Furthermore, 
if the plans are that the HP should have a real IP then the configuration should be done offilne otherwise experiments 
and stuff like that could jeopardize the whole network. Regarding the location of the HP then it could be configured 
online unless there is the fear of 'naughty' employees.--



A bigger concern would be "How do *I* know my attacker hasn't jiggered his
TCP stack?" (see http://sourceforge.net/projects/ippersonality/ for an example).
So what you are not after the attacker when you deploy HPs only their tools, tactics & methods, hence the clued 
attacker would attack only would use a steppingstone! This is a very very disadvantange not for a HP but for every 
security aspect.


And of course, if you're being hit from another steppingstone, all you will manage
to do is fingerprint the steppingstone.... :) Agree!!!

Regards

Kostas