Re: Honeypot within ISP Policies?

[Barrett Weisshaar <bweissha () andrew cmu edu>]

These are indeed very good guidelines.  I'd highly recommend obtaining
permission from your ISP if possible.  However, depending on your ISP
this might be pretty tricky.  For example, I ran a brief Comcast
honeynet to examine common threats to home broadband a while back.  I
admit that within the timeframe and the scope of the project, I didn't
bother to secure permission - I wasn't going to allow any attack to
persist for long once the box was compromised, and I figured that it was
far more controlled of an experiment than most clueless home users (at
least I was watching!).

If you're up to something more expansive (colocation, etc) I'd
definitely check.  I help tend to a few colo boxes and if you don't
resolve/work with them if they detect a compromise of your box, they
WILL pull the plug on your system until you do.  This is of course on
top of the legal issues that Mr. Kletnieks mentioned as well.

Good luck!

-Barrett

Valdis.Kletnieks () vt edu wrote:
> On Mon, 10 Apr 2006 12:17:15 +0200, Patrick Debois said:
>
>   
> > -Suppose attackers will use my honeypot to go outside, can I be held 
> > responsible for this?
> >     
>
> You're certainly at greater legal risk if you were intentionally running
> a honeypot rather than some clueless Windows user who got 0wned.
>
>   
> > -Do I need to have special agreements for this of my ISP?
> >     
>
> First rule of pen-testing and vulnerability scanning:  Always get an in-writing
> "get out of jail free" card up front.  This almost certainly applies to
> running a honeypot - first off, it will help with the ISP.  Secondly, it will
> help your defense when you try to say "it wasn't me hacking the Pentagon, it
> was somebody in the honeypot.." ;)
>
>