Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cracked; rootkit - entrapment question?

From: cdp () PEAKPEAK COM (Chuck Phillips)
Date: Sat, 4 Mar 2000 03:43:32 -0700

Jason Lewis writes:

Why go through all the time and effort to create a honeypot.  Why don't
you concentrate on securing the systems they have and putting up some
kind of firewall.  Are you getting paid to exact revenge for someone
exploiting a lack of security?


I can't speak for the original poster, but there are other reasons for
constructing a honeypot.

1. Understanding what kinds of attacks are being launched in general by
   direct observation.  This can provide a great education.

2. Knowing what kinds of attacks, how often, etc., are being attempted on
   your own network specifically.  This can be a great adjunct to your IDS.

3. Diverting attention away from more important machines in the short term.
   In the long term, this can backfire.  After all, where there's one
   interesting machine, there may be others.  Still, by observing the
   cracker, it may help in identifying the best steps to take in protecting
   the rest of your hosts -- *before* they are attacked.


I may be naive, but it seems like calling in the FBI is like trying to
kill a housefly with an Elephant gun.


If no serious harm is done, and I do consider DoS as one form of harm, then
calling the authorities is probably a waste of your time and theirs.  Just
log it for future reference and move on.  Persistent attacks are another
form of harm because they continually divert resources away from other
tasks.  If that darn script kiddie just won't go away or starts to escalate
attacks as you lock things down, it's time to do something about it.
Sooner or later, that kiddie is going to do someone serious harm even if it
isn't to you.

        Just MHO,
                Chuck
Previous By Date Next
Previous By Thread Next

Current thread: