Re: Heisenberg in the honeypot

[Valdis.Kletnieks () vt edu]

On Mon, 21 Jun 2004 07:15:47 PDT, Harlan Carvey said:

> True, but that can't be done until the particular
> system is identified...either a priori, or though OS
> fingerprinting or header/banner analysis.  Some sort
> of a priori knowledge of the system(s) can be obtained
> through asking, disgruntled employees, DNS zone
> transfers, etc...all w/o out sending packets to the
> system itself.  

Exactly.

> But that's where we get off topic, I'm afraid.  My

No, it's not at all off topic...

> original question still applies...if an attacker has a
> new technique or exploit, how likely is he/she to use
> it knowing that honeypots are in use?  

The important question is not "are honeypots in use" but "is *this*
*particular* system that I'm considering as the next machine to probe in fact
likely to be a honeypot?".  I don't *care* if the site has 2,000 honeypots scattered
world-wide.  I only care "Is this box labelled www3.target-site.com likely to be
a real webserver, or a honeypot?"

You can know that the enemy uses land mines, but still feel confident about
crossing a given space because you can tell that *this* space likely doesn't
have a land mine - for instance, crossing a not-recently paved parking lot is
probably fairly safe.  Following heavy truck tire tracks also greatly improves your odds,
as long as you don't come to someplace the tracks suddenly end.... ;)

Attachment: _bin
Description: