Re: Hardware Performance of Honeyd

[Valdis.Kletnieks () vt edu]

On Thu, 11 Jan 2007 22:40:38 EST, Sol_Invictus said:
> Our goal is a nice Class B network with random "Configured" systems for more
> info for some good reporting..  My main question is, would this system
> handle a class A honeynet?

Personally, I wouldn't try to make a honeynet much bigger than a /16 (which is
what a "class B" *should* be called ever since CIDR happened oh about a decade
or so ago).  The biggest problem with trying to go to a /8 isn't the actual
simulation of a /8, it's trying to make a /8 that somebody will *believe*
(remember, there's only 256 /8s in the entire IPv4 space, and every single
one is accounted for).  10/8 is probably the only one you could get people
to believe - but that is of limited utility...

And on the flip side - if you're trying to emulate an entire /8, you will
need a way to make the routing look right from the attacker's point
of view, and not break anything.  This has *two* sides:

1) If you're faking (for example) the 12/8 net, you won't attract any
packets from anyplace that has a BGP feed that draws those packets towards
ATT Worldnet (the real owner of 12/8).  So you only see packets from people
"upstream" from you.

2) You better be ready for your upstream users to raise holy heck with your
support desk on why ATT just fell off the net....

Moral: You *really* want to make the honeynet be an otherwise "dark" subnet
of your own address space.

Attachment: _bin
Description: