Honeypots mailing list archives

About Data Control

From: Martim Carbone <martim.carbone () ic unicamp br>
Date: Fri, 17 Jan 2003 16:15:36 -0200 (BRST)

Hi,

I am currently working on the Data Control part of my Honeynet, and have 
already configured Snort-inline to run with the rc.firewall script 
provided by the Honeynet Project. This configuration could prevent exploit 
attacks, scans and some DoS attacks. However, there is still one type of 
"attack" this setup does not prevent.

Suppose a random attacker breaks into a random machine A on the 
Internet, installs a backdoor and then breaks into OUR honeypot.
He could effectively use our honeypot as a bounce station and 
anonymize his connection to his backdoor on host A. And as far as I know, 
neither snort-inline nor the connection-limiting scheme could prevent 
him from doing it. Needless to say, this  could get the honeynet's administrators 
into serious trouble if  A's administrators find out where the attacker is 
connecting from.

Any ideas on how to prevent this?

Thanks,

-- Martim

Current thread:

About Data Control Martim Carbone (Jan 17)
- Re: About Data Control Anton A. Chuvakin (Jan 17)
- Re: About Data Control Johan Augustsson (Jan 18)
- <Possible follow-ups>
- RE: About Data Control Gonzalez, Albert (Jan 17)
  - RE: About Data Control mike (Jan 17)
- Fwd: Re: About Data Control Eloi Granado (Jan 27)