Honeypots mailing list archives
RE: Detection of attacks with the help of honeypots
From: "Bruno MAC Castro" <bcastro () dei uc pt>
Date: Sat, 9 Nov 2002 15:29:44 -0000
Hi Hess, Just my 0.02$... I am sure that each one of us as a personal idea about the HoneyPot concept. I can resume you about my idea about the main goals of a HoneyPot: 1. Learn The main goal of a Honeypot is to learn hacker's techniques and tools. Only that way, we (System administrators and Security agents) can improve our forensics and defense techniques. 2. Improve our systems If a hacker (or cracker) gets in our system it's because something is not right! Without knowing how he did it, that would be our only conclusion after the brake in. A Honeypot gives us the vital information for a system administrator: our system holes! That way you will only need to close (or configure) the corrupted service or apply some patch, etc... Until a new "hole" is found... 3. Legal Information A HoneyPot will gather all "step-by-step" information regarding the hacker's hacking process. So, maybe you will gather enough information to build an legal accusation against the "script kiddie"... just maybe... not easy! 4. Hide the vital systems A HoneyPot can be used as a security measure. Only that! It will never (maybe too radical! :-) ) be a security defense solution. How can it be a security measure? Well, a hacker will be looking for the first and the easiest way to break in. If a HoneyPot is installed on a company network (ISP, bank, etc) it will be the easiest target for sure... and will get all hacker's attention! That way, he will be "interested" on the HoneyPot and not on our real system. I think this will be HoneyPot's future as a security solution... Hope that it helped... Best Regards, Bruno ______________________________________ Bruno Miguel Abrantes de Campos e Castro Mail To: bcastro () portugalmail pt bcastro () dei uc pt ______________________________________ -----Original Message----- From: hess () ftmail ee tu-berlin de [mailto:hess () ftmail ee tu-berlin de] On Behalf Of Andreas Hess Sent: quarta-feira, 6 de Novembro de 2002 8:33 To: honeypots Subject: Detection of attacks with the help of honeypots Hi, I am relatively new to the concept of honeypots, thus I've got a general question. As far as I've understood the concept, honeypots could amongst other things be used for the detection of attacks. An attack could be identified by: 1.) communication between a remote host and the honeypot - as this is always suspicious, as a honest person would never contact a honeypot 2.) analysing log-files of the honeypot 3.) certain reactions of a honeypot. Are there honeypots which are capable to differentiate between regular and irregular requests? What happens if somebody floods a honeypot with a huge amount of regular requests? This is a kind of attack versus the honeypot but would not affect a real system. Is the current approach a mixture of the three given possibilities or how does it work? Thank you very much for helping! Regards Andreas
Current thread:
- Detection of attacks with the help of honeypots Andreas Hess (Nov 06)
- RE: Detection of attacks with the help of honeypots Bruno MAC Castro (Nov 10)
- Honeypots in physical/electronic security Fernando Martins (Nov 10)
- RE: Detection of attacks with the help of honeypots Bruno MAC Castro (Nov 10)