Re: Honeypot detection and countermeasures

From: Lance Spitzner (lanceat_private)
Date: Mon Jun 23 2003 - 20:01:09 PDT

Next message: Trygve Aasheim: "SV: Honeypot detection and countermeasures"

Previous message: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
In reply to: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
Next in thread: miguel.dilajat_private: "Re: Honeypot detection and countermeasures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 23 Jun 2003, Dragos Ruiu wrote:

> On June 23, 2003 06:58 am, Rob Shein wrote:
> > This wouldn't work.  Seeing the packets/traffic on the wire doesn't tell
> > you the tools that are used, and it also doesn't really give you much else.
> > Considering that a honeypot is either not really rootable (DTK) or is very
> > low hanging fruit (and very rootable, like a honeynet.org system), they
> > either won't see tools downloaded to the system or won't see anything more
> > than the bare minimum needed to exploit a system that is too vulnerable to
> > begin with.

*sigh*, its misconceptions like these that create confusion.  Honeypots
are an extremely powerful and flexible tool that comes in many shapes
and sizes.  Everything from Honeyd which can deploy millions of virtual
honeypots on your network, to more advance high-interaction honeypots,
such as ManTrap or Honeynets.  This does not even take into consideration
concepts such as honeytokens or honeypot farms.

In reference to your concern of easy to break in systems, a great deal
of research is going into more advance honeypot deployments.  Examples
include HotZoning or Tiering.  HotZoning is when all 'bad' traffic
is directed to honeypots. Tieiring is honeypots of different
complexity levels, where advanced attackers are lured into more
difficult honepyots.

Second, you are falling into the common trap of the break in.  The most
interesting tools we have seen were not the ones used to break into 
honeypots, but the ones used afterwards.  Things like IPv6 tunneling
to hide traffic, remote commands using IP proto 11, or advance CC
Fraud.  We have even seen exploits being developed in real time.  This
information has been used to help OS vendors change their patching
priorities.

If you have not looked at honeypots in a while, I recommend you give
them a quick reivew.  They have made radical advances in the past
several years.

    Honeypots: Definitions and Values
    http://www.tracking-hackers.com/papers/honeypots.html

lance

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------

Next message: Trygve Aasheim: "SV: Honeypot detection and countermeasures"
Previous message: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
In reply to: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
Next in thread: miguel.dilajat_private: "Re: Honeypot detection and countermeasures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 08:28:48 PDT