[TriLUG] Honeypots attract flies

Jon Carnes jonc at haht.com
Mon Jul 15 09:27:32 EDT 2002 

The difference in our two points of view are that you have the time to
continuously monitor your "Honeypot", and by your eternal vigilance, down
the compromised system before it can be used to propagate the evil that men
do...

May you be ever vigilant!

-----Original Message-----
From: trilug-admin at trilug.org [mailto:trilug-admin at trilug.org]On Behalf
Of Jeff Bollinger
Sent: Monday, July 15, 2002 8:36 AM
To: trilug at trilug.org
Subject: Re: [TriLUG] Honeypots attract flies


I couldn't disagree more.  While many of the points you mentiong Jon,
are indeed true, a honeypot (or honeynet) is a crucial tool to
discovering new information.

  Maybe sitting on a home network, it would be close to worthless
because your ISP isn't going to do anything anyways (they're drowned
with calls from people who are calling about "UDP port probes" from
their personal firewalls.  I've got a stack of trojans, rootkits, and
exploit code from our honeynet, all of which I can use against our test
systems to see how to prevent other similar systems from compromise.

We've also used exploit code left on our honeynet to write custom
signatures for our IDSs -- signatures that can notify us of an impending
attack before there is an officially released signature.  I also think
it's incredibly fun!  I can't tell you how many times I've caught a
cracker live on the box, watching him/her come in the border router, and
packet by packet (we run a sniffer between the border and the honeynet)
watched them work.  I love to ifdown the box right as they set up the
warez server.  :)

Jeff

Jon Carnes wrote:
> Once upon a time, the Honeypot idea was good.  If there was a pesky fly
> buzzing around your network, you could setup a Honeypot and trap that
fly...
>
> My outer network is scanned/probed/attacked over 250 times per day.
That's
> a lot of damn flys. If I put a vulnerable system on my outer network, it
is
> generally hacked in less than 24 hours, and not just by one "fly"... if
> there's a script that looks for the vulnerability, then there will be a
> whole swarm stepping on top of each other - each laying their favorite
eggs
> in the system.
>
> No. You don't want to put a Honeypot on your outer network...
>  - You'll lose Bandwidth
>  - You could be aiding and abetting crackers in performing DOS attacks
>  - You become a known site to check for vulnerabilities, so scans on your
> site increase
>  - You learn almost nothing, as 99.999% of attacks come from other
> compromised machines
>  - You can't do anything useful against hacker - you just provoke him and
> then he DOSes you!!!
>
> Leave Honeypots to the Feds.  They can actually do something against a
> cracker.
>
> Now, if you want to bring up an internal Honeypot, that is a whole
different
> game.  Who inside your company is poking their virtual fingers where they
> ought not?  A Honeypot inside the gates, might be a really good idea.
>
> Jon
>
> -----Original Message-----
> From: trilug-admin at trilug.org [mailto:trilug-admin at trilug.org]On Behalf
> Of Mike Mueller
> Sent: Saturday, July 13, 2002 8:42 AM
> To: trilug at trilug.org
> Subject: [TriLUG] Honeypots attract flies
>
>
> I found this link at slashdot this AM.  While reading linked articles I
> recalled a converstation on this list about staged hacking to analyse
> vulnerabilities. The article's topic also ties in with recent
conversations
> on security and exploitable flaws in OpenSSH and Apache.  The idea
promoted
> on www.lucidic.net is to set out a "honeypot" seemingly unprotected
systems
> and attract "flies" or hackers.  Then you can study the flies while they
do
> fly things and share the results openly.  This strikes me as a powerful
> concept.
>
> http://www.lucidic.net
>
> The whitepapers have a consistent and familiar look and feel thanks to
> DocBook (my current fascination).
>
> --
> m
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html


--
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzETQsACgkQvoVlxVBmgsXunQCg1Pjc14nTjWiP8FCy+NNDK97E
HMAAoIRhikBeM5Lm+6Iu/0h3MX6lDgiR
=LpiV
-----END PGP SIGNATURE-----

_______________________________________________
TriLUG mailing list
    http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ:
    http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list