Honeypots mailing list archives
Re: Is it one way to detect honeypot?
From: Olaf Gellert <og () pre-secure de>
Date: Thu, 12 Feb 2004 16:02:22 +0100
wanfat wu wrote:
Hi Olaf Gellert, Thank You for your reply first! I get your point. From my point of view, honeypot can also be used to detect unauthorized user or to protect local network, for example, in university campus. I think it is quite easy to detect MAC by using Ettercap. If I am the attacker, I can see many host with same MAC. So, I can know that host with diffierent MAC is the real host. How do you think?
Well, this works only of the attacker is in the same ethernet segment. This would be true of a small network with ~100 hosts, but of course not for a large university campus. I am not sure, usually arp requests should not go over a switch to another segment (someone correct me if I am wrong). So, yes, you can use this to detect the kind of honeypots that use many IP-addresses on one interface. There are some special settings, where this would not work (for example SSL-servers serving many domains (each one needs an IP-address), so they have many IP-addresses but are using only one interface). Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Consultant, Consulting GmbH Phone: (+49) 0700 / PRESECURE og () pre-secure de
Current thread:
- Is it one way to detect honeypot? wanfat wu (Feb 11)
- Re: Is it one way to detect honeypot? ravivsn (Feb 12)
- Re: Is it one way to detect honeypot? Cedric Blancher (Feb 12)
- Re: Is it one way to detect honeypot? Olaf Gellert (Feb 12)
- Re: Is it one way to detect honeypot? wanfat wu (Feb 13)
- Re: Is it one way to detect honeypot? Olaf Gellert (Feb 12)
- Re: Is it one way to detect honeypot? wanfat wu (Feb 13)