Honeypots mailing list archives
Re: IP addresses in honeynet
From: Ivan Milovidov <some_help () yahoo com>
Date: 1 May 2003 14:27:44 -0000
In-Reply-To: <Pine.BSO.4.44.0305010942450.28412-100000 () klake org> In my opinion it depends on the honeynet general purpose, overall design and type of "nodes" behavior. For the attacker the honeynet looks like a fragment or a whole network occupied by people busy with everyday life. If your goal is to fool someone into believing the honeynet is your LAN - working with your honeynet is almost the same as working with your LAN. Fix problems, one after another, and use common sense LAN support logic to stay undetected. If your honeynet is changing everything - behavior and IPs - will it look suspicious? Is there a real explanation of how this change could have done by a LAN admin during business hours? Is there a good reason for the change? If a single honeypot is getting compromised all over again, add something to it - a new banner saying this system is watched now and disable services with high-risk security; or update them. Another way is to replace the OS with something else, but host the same purpose services - it creates a vision of LAN admin fixing the problem because he has to keep this box functional. About word spreading in community: it depends what kind of goods your system is "offering". If your company name is unknown, Internet connection is slow, no interesting data, limited disk space - you have time. If you are someone who is well known, with fast connection, useful data, plenty of disk space - count minutes before someone else is notified.
Current thread:
- IP addresses in honeynet Jarkko Turkulainen (May 01)
- <Possible follow-ups>
- Re: IP addresses in honeynet Karl Hable (May 01)
- Re: IP addresses in honeynet Ivan Milovidov (May 01)