[TriLUG] Honeypots attract flies

Jon Carnes jonc at haht.com
Sat Jul 13 14:17:12 EDT 2002 

Once upon a time, the Honeypot idea was good.  If there was a pesky fly
buzzing around your network, you could setup a Honeypot and trap that fly...

My outer network is scanned/probed/attacked over 250 times per day.  That's
a lot of damn flys. If I put a vulnerable system on my outer network, it is
generally hacked in less than 24 hours, and not just by one "fly"... if
there's a script that looks for the vulnerability, then there will be a
whole swarm stepping on top of each other - each laying their favorite eggs
in the system.

No. You don't want to put a Honeypot on your outer network...
 - You'll lose Bandwidth
 - You could be aiding and abetting crackers in performing DOS attacks
 - You become a known site to check for vulnerabilities, so scans on your
site increase
 - You learn almost nothing, as 99.999% of attacks come from other
compromised machines
 - You can't do anything useful against hacker - you just provoke him and
then he DOSes you!!!

Leave Honeypots to the Feds.  They can actually do something against a
cracker.

Now, if you want to bring up an internal Honeypot, that is a whole different
game.  Who inside your company is poking their virtual fingers where they
ought not?  A Honeypot inside the gates, might be a really good idea.

Jon

-----Original Message-----
From: trilug-admin at trilug.org [mailto:trilug-admin at trilug.org]On Behalf
Of Mike Mueller
Sent: Saturday, July 13, 2002 8:42 AM
To: trilug at trilug.org
Subject: [TriLUG] Honeypots attract flies


I found this link at slashdot this AM.  While reading linked articles I
recalled a converstation on this list about staged hacking to analyse
vulnerabilities. The article's topic also ties in with recent conversations
on security and exploitable flaws in OpenSSH and Apache.  The idea promoted
on www.lucidic.net is to set out a "honeypot" seemingly unprotected systems
and attract "flies" or hackers.  Then you can study the flies while they do
fly things and share the results openly.  This strikes me as a powerful
concept.

http://www.lucidic.net

The whitepapers have a consistent and familiar look and feel thanks to
DocBook (my current fascination).

--
m
_______________________________________________
TriLUG mailing list
    http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ:
    http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list