Honeypots mailing list archives
Re: ARP responding honey pot to any unused ip address
From: Valdis.Kletnieks () vt edu
Date: Sun, 24 Apr 2005 20:02:56 -0400
On Sun, 24 Apr 2005 15:23:06 PDT, mohsin saleem said:
a hacker tries to find around 50 IP address in a network honeyD finds them to be acvailable. it acclaims them and starts commyunicating with hacker. hacker tests them all for being win2k professional. honey shows this nicely. Now any hacker having a bit of common sense will start laughing: 50 IPs + having HOST OS as WIN2K + OFFERING 100% same services!!! infact, 50 SERVERS OFFERING 100% SAME service ..OO MY GOD.. it never happens he will laugh.
Happens all the time at hosting services. At some, you might find *thousands* of consecutive addresses all configured the same. Remember - if you're selling a service, it's a lot easier to configure 500 machines the same for the customers than manage 500 different configurations. Another place where it can happen is with a webserver that offers SSL - there you need a separate IP address for each domain with a certificate. On Unix/Linux based servers it's usually implemented as one hardware interface with 50 IP addresses bound to it. I'd presume that Windows would do the same (unless they're trying to make you buy a separate server for each address, thus selling you another copy of Win2K for each server). Also, you're likely to see this anyplace running a cluster-farm of servers behind a load balancer - if the load balancer is spreading the load across 50 machines, they really need to be fairly close to identical.... Or maybe it's a college lab, or a library, or a corporation, or anyplace else that has 50+ machines that are all an identical "standard" configuration. Bottom line - finding 50 identical machines only means that you've found a site that has a need for 50 identical images. And there's *plenty* of those..
Attachment:
_bin
Description:
Current thread:
- ARP responding honey pot to any unused ip address mohsin saleem (Apr 24)
- Re: ARP responding honey pot to any unused ip address Valdis . Kletnieks (Apr 24)
- Re: ARP responding honey pot to any unused ip address sushant (Apr 24)
- <Possible follow-ups>
- RE: ARP responding honey pot to any unused ip address Roger A. Grimes (Apr 27)