Honeypots mailing list archives
Re: Heisenberg in the honeypot
From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Mon, 21 Jun 2004 15:10:50 -0700
* Harlan Carvey (keydet89 () yahoo com) wrote:
It is an interesting mental exercise, and I have a dual response: 0. I do not see how HUP applies to Honeypots/Honeynets. How do you alter an attack by capturing/observing it in realtime or at a later time using Honeypots?The HUP really doesn't have anything to do with altering an attack. What I'm looking at is...if someone knows that honeypots are out there, are they going to try using their 0-day attacks, unless they are relatively sure that a honeypot is not on the network?
IMHO, there are various kinds of targets 1) Unprotected targets 2) Protected targets, no surveillance. 3) Protected targets, with surveillance. 4) Honeypots a.k.a. "protected" "targets" with surveillance. #1 and #2 are ideal targets, cos without surveillance, the attacker does not show his/her cards i.e. the 0-day exploit details remain a secret. An exploit known only to oneself has a far higher value as compared to one known to others. Now, from the point of view of an attacker, #3 and #4 are identical in terms of loss of stealth coverage, cos the exploit details are being recorded for further study. #3 and #4 both represent a loss of equal magnitude to an attacker, and hence there is no rationale for an attacker to seperate one from the other. That would only be wasted energy without any useful payback. Moreover, since most attacks would be automated, in order to net as many zombies as possible, the opportunity to weed out honeypots by hand is probably not present or usable. On the other hand, if the attacker could automatically avoid all systems with *surveillance*, then THAT effort has a huge payback i.e. continued secrecy of the details of the 0-day exploit. Executive Summary :D -------------------- Only the surveillance aspect is important to an attacker. -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys.
Current thread:
- Heisenberg in the honeypot H Carvey (Jun 19)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 21)
- Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
- Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Minefields Lance Spitzner (Jun 22)
- Re: Minefields MrDemeanour (Jun 23)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)