Re: VERY simple 'virtual' honeypot

[Dug Song <dugsong () monkey org>]

On Fri, Mar 08, 2002 at 08:19:11AM -0500, Ron Gula wrote:

> Dragon Sensor can use this info to look for traffic to non-existant
> hosts, and traffic to non-existant services on active hosts. Besides
> being a good honeypot, it is also an excellent trickle scan detection
> engine. Scalability is roughyly at the DMZ/class-c level. 

at Arbor Networks, we've been doing this kind of blackhole monitoring
as well, but on an unused, globally-announced class A network:

        http://research.arbor.net/up_media/up_files/snapshot_worm_activity.pdf

monitoring an entire /8, you see lots of interesting things, including:

        - constant worm infection attempts (see the paper above)
        - backscatter from victims of source-spoofed DDoS attacks
        - widespread host scans for the vulnerability du jour (FTP,
          dtspcd, SSH, etc. - you name it, we see it)
        - random Internet flotsam and jetsam i have yet to figure out (!)

if there's enough interest, we might release the software we've
written to capture, reassemble, and characterize this traffic
(tentatively called "MasterBaiter" :-)

if our marketing folks don't kill me first...

-d.

---
http://www.monkey.org/~dugsong/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users