Honeypots mailing list archives
Re: Trapping attackers when trying to leave a honeypot
From: Nicolas STAMPF <stampf.bes () free fr>
Date: Fri, 5 Sep 2003 09:57:38 +0200
Selon George Washington Dunlap III <dunlapg () umich edu>:
I had done some thinking on this kind of thing before as well, but it always seemed to me that a clever attacker could detect this kind of thing very easily -- easily enough to put it in a rootkit script, even. The basic idea is similar to cross-examination: make a couple of requests from the new victim (your honeypot), and the same set of requests from an old victim; if they differ, they know at least one is lying (probably the new one). They could:
If I were in charge of a firewall, I'd block that outgoing connection from the honeypot to outside if it were not "production" necessary. As this has already been said here, configuring hosts just like real ones is the best way to catch attackers.
* Try to open a connection to a backdoor on a previously-hacked system
I'd deny this (except on smtp servers for outgoing smtp connections, etc.)
* Try to make a connection (or send an attempted exploit) to an IP address they know doesn't exist
I'd block this as well
* Scan a couple of random IP addresses, in both places and compare the results.
Idem. I'd say that if some attacker finds a computer widely opened, that would be quite surprising and should ring bells. I'd say that a properly configured firewall would only allow you to enter a network (through predefined pathes and using application vulnerabilities), but almost not authorize you to get out, except using specific paths, like SMTP trafic (which you could fake as going out and pretend using an ISP servers which spools emails (hence the hacker could not really on this path for real time communications). Other paths are more problematic to handle, of course: DNS requests, etc.
My conclusion was always that this might be marginally more effective at catching script kiddies, but easily dealt with by any competent black-hat.
Well, my goal was more to catch those between kiddies and blackhat. But the scripting feature kinds of ruins it all, I must concede. Thanks for the comments anyway, Nicolas Stampf
Current thread:
- Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 04)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 04)
- Re: Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot Valdis . Kletnieks (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 04)