[TriLUG] Honeypots attract flies

Jeff Bollinger jeff01 at email.unc.edu
Mon Jul 15 08:36:21 EDT 2002 

I couldn't disagree more.  While many of the points you mentiong Jon, 
are indeed true, a honeypot (or honeynet) is a crucial tool to 
discovering new information.

  Maybe sitting on a home network, it would be close to worthless 
because your ISP isn't going to do anything anyways (they're drowned 
with calls from people who are calling about "UDP port probes" from 
their personal firewalls.  I've got a stack of trojans, rootkits, and 
exploit code from our honeynet, all of which I can use against our test 
systems to see how to prevent other similar systems from compromise.

We've also used exploit code left on our honeynet to write custom 
signatures for our IDSs -- signatures that can notify us of an impending 
attack before there is an officially released signature.  I also think 
it's incredibly fun!  I can't tell you how many times I've caught a 
cracker live on the box, watching him/her come in the border router, and 
packet by packet (we run a sniffer between the border and the honeynet) 
watched them work.  I love to ifdown the box right as they set up the 
warez server.  :)

Jeff

Jon Carnes wrote:
> Once upon a time, the Honeypot idea was good.  If there was a pesky fly
> buzzing around your network, you could setup a Honeypot and trap that fly...
> 
> My outer network is scanned/probed/attacked over 250 times per day.  That's
> a lot of damn flys. If I put a vulnerable system on my outer network, it is
> generally hacked in less than 24 hours, and not just by one "fly"... if
> there's a script that looks for the vulnerability, then there will be a
> whole swarm stepping on top of each other - each laying their favorite eggs
> in the system.
> 
> No. You don't want to put a Honeypot on your outer network...
>  - You'll lose Bandwidth
>  - You could be aiding and abetting crackers in performing DOS attacks
>  - You become a known site to check for vulnerabilities, so scans on your
> site increase
>  - You learn almost nothing, as 99.999% of attacks come from other
> compromised machines
>  - You can't do anything useful against hacker - you just provoke him and
> then he DOSes you!!!
> 
> Leave Honeypots to the Feds.  They can actually do something against a
> cracker.
> 
> Now, if you want to bring up an internal Honeypot, that is a whole different
> game.  Who inside your company is poking their virtual fingers where they
> ought not?  A Honeypot inside the gates, might be a really good idea.
> 
> Jon
> 
> -----Original Message-----
> From: trilug-admin at trilug.org [mailto:trilug-admin at trilug.org]On Behalf
> Of Mike Mueller
> Sent: Saturday, July 13, 2002 8:42 AM
> To: trilug at trilug.org
> Subject: [TriLUG] Honeypots attract flies
> 
> 
> I found this link at slashdot this AM.  While reading linked articles I
> recalled a converstation on this list about staged hacking to analyse
> vulnerabilities. The article's topic also ties in with recent conversations
> on security and exploitable flaws in OpenSSH and Apache.  The idea promoted
> on www.lucidic.net is to set out a "honeypot" seemingly unprotected systems
> and attract "flies" or hackers.  Then you can study the flies while they do
> fly things and share the results openly.  This strikes me as a powerful
> concept.
> 
> http://www.lucidic.net
> 
> The whitepapers have a consistent and familiar look and feel thanks to
> DocBook (my current fascination).
> 
> --
> m
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html


-- 
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzETQsACgkQvoVlxVBmgsXunQCg1Pjc14nTjWiP8FCy+NNDK97E
HMAAoIRhikBeM5Lm+6Iu/0h3MX6lDgiR
=LpiV
-----END PGP SIGNATURE-----

More information about the TriLUG mailing list