IP addresses in honeynet

[Jarkko Turkulainen <jt () klake org>]

Hi list,

I'm planning to build a honeynet and there's one detail that seems to me
important in design of the net. It would be nice to hear how people deal
with this issue.

How often should I change the IP addresses in honeynet? Is it sufficient
to change the address as different address in same subnet, or should I
change the net block as well?

If the same honeypot gets compromised and fixed over and over again, it
might look a bit odd to attackers.. How quick does the word spread in
blackhat community?


Best regards,

--
Jarkko Turkulainen <jt () klake org>