Re: ARP responding honey pot to any unused ip address

[Valdis.Kletnieks () vt edu]

On Sun, 24 Apr 2005 15:23:06 PDT, mohsin saleem said:

> a hacker tries to find around 50 IP address in a network
> honeyD finds them to be acvailable.
> it acclaims them and starts commyunicating with hacker.
> hacker tests them all for being win2k professional.
> honey shows this nicely.
> Now any hacker having a bit of common sense will start laughing:
> 50 IPs + having HOST OS as WIN2K + OFFERING 100% same services!!!
> infact, 50 SERVERS OFFERING 100% SAME service ..OO MY GOD.. it never happens
> he will laugh.

Happens all the time at hosting services.  At some, you might find *thousands*
of consecutive addresses all configured the same.  Remember - if you're selling
a service, it's a lot easier to configure 500 machines the same for the customers
than manage 500 different configurations.

Another place where it can happen is with a webserver that offers SSL - there
you need a separate IP address for each domain with a certificate.  On Unix/Linux
based servers it's usually implemented as one hardware interface with 50
IP addresses bound to it.  I'd presume that Windows would do the same (unless
they're trying to make you buy a separate server for each address, thus selling
you another copy of Win2K for each server).

Also, you're likely to see this anyplace running a cluster-farm of servers
behind a load balancer - if the load balancer is spreading the load across
50 machines, they really need to be fairly close to identical....

Or maybe it's a college lab, or a library, or a corporation, or anyplace else
that has 50+ machines that are all an identical "standard" configuration.

Bottom line - finding 50 identical machines only means that you've found a site that
has a need for 50 identical images.  And there's *plenty* of those..

Attachment: _bin
Description: