Re: Cracked; rootkit - entrapment question?

[rfp () WIRETRIP NET (rain forest puppy)]

Just my $.02 on the subject, but I think administrators are using the
concept of a honeypot as some personal vindictive revenge tool.

It is not.

For those of you who think honeypots are there to 'lure' hackers, and to
'learn their attack tactics' by 'enticing them to log in', you've been
watching too many Bond flicks.  Maybe it's the inner hacker within you
trying to get out, but, um, NO.  You have so many entrapment legalities to
deal with, and arguably you won't learn anything.

The best one I hear is 'entice him with juicy, but fake, data'.  Um, how
the hell is he supposed to know what data is on the box without breaking
in?  Therefore, where is the enticement?

Come on, if HackerX breaks into your box and gains root, he's in.  So now
you spot him, what are you going to learn?  What 'tactics' are you going
see?  He's already in, he's not going to re-run his exploits.  You can
collect logs for 'evidence', but arguably the validity of the logs must be
questioned if the attacker was given full access to the system.  You're in
the big catch-22 loop.

How should a honeypot be used?  Let's say I have a NT server.  My site
gets 6 gigs of hits a day.  Looking through a day's worth of logs is
horrendous, and a task only given the the 'new guy'.  It's easy for stuff
to slip between the cracks.

Enter honeypot.  That webserver is 10.0.0.4.  I put honeypots at 10.0.0.3
and 10.0.0.5.  There should be *no* DNS entries for the honeypot; the
point is to otherwise make the honeypots unused.  Therefore, absolutely
*ANY* traffic to those honeypots (which could be 1 system with 2 IP
aliases) should immediatley considered SUSPICIOUS!  Why?  Because they
have absolutely no production use.  Now, if I have IIS with RDS running,
and I see some schmoe hit RDS, I now should immediately go to my real
webserver (10.0.0.4) and grep for his IP.  See, the honeypots can serve as
a precursor warning of attack.  Anyone who accesses the honeypots should
be considered suspicious, and their corresponding accesses to production
systems should then immediately be evaluated.

Now, what if the attacker focuses just on the web server itself, and
didn't hit the honeypot(s)?  Then the issue becomes mute in either case.

One thing a honeypot does provide: time to call the FBI, CERT, SANS, local
law enforcement, tiger team, media reporter, or ex-lover, while the
cracker is digging in.  Plus, you have an immediate IP to shun.

- rain forest puppy
rfp () wiretrip net
www.wiretrip.net/rfp/