Honeypots mailing list archives

Re: Trapping attackers when trying to leave a honeypot

From: Nicolas STAMPF <stampf.bes () free fr>
Date: Fri, 5 Sep 2003 09:57:38 +0200

Selon George Washington Dunlap III <dunlapg () umich edu>:

I had done some thinking on this kind of thing before as well, but it
always seemed to me that a clever attacker could detect this kind of thing
very easily -- easily enough to put it in a rootkit script, even.  The
basic idea is similar to cross-examination: make a couple of requests from
the new victim (your honeypot), and the same set of requests from an old
victim; if they differ, they know at least one is lying (probably the new
one).  They could:


If I were in charge of a firewall, I'd block that outgoing connection from the 
honeypot to outside if it were not "production" necessary. As this has already 
been said here, configuring hosts just like real ones is the best way to catch 
attackers.

  * Try to open a connection to a backdoor on a previously-hacked system


I'd deny this (except on smtp servers for outgoing smtp connections, etc.)

  * Try to make a connection (or send an attempted exploit) to an IP 
address they know doesn't exist


I'd block this as well

  * Scan a couple of random IP addresses, in both places and compare the 
results.


Idem. I'd say that if some attacker finds a computer widely opened, that would 
be quite surprising and should ring bells. 

I'd say that a properly configured firewall would only allow you to enter a 
network (through predefined pathes and using application vulnerabilities), but 
almost not authorize you to get out, except using specific paths, like SMTP 
trafic (which you could fake as going out and pretend using an ISP servers 
which spools emails (hence the hacker could not really on this path for real 
time communications). Other paths are more problematic to handle, of course: 
DNS requests, etc.

My conclusion was always that this might be marginally more effective at 
catching script kiddies, but easily dealt with by any competent black-hat.


Well, my goal was more to catch those between kiddies and blackhat. But the 
scripting feature kinds of ruins it all, I must concede.

Thanks for the comments anyway,

Nicolas Stampf

Current thread:

Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 04)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 04)
  - Re: Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 05)
    - Re: Trapping attackers when trying to leave a honeypot Valdis . Kletnieks (Sep 05)
    - Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 05)