Honeypots mailing list archives
Re: Hardware Performance of Honeyd
From: Valdis.Kletnieks () vt edu
Date: Thu, 11 Jan 2007 23:17:13 -0500
On Thu, 11 Jan 2007 22:40:38 EST, Sol_Invictus said:
Our goal is a nice Class B network with random "Configured" systems for more info for some good reporting.. My main question is, would this system handle a class A honeynet?
Personally, I wouldn't try to make a honeynet much bigger than a /16 (which is what a "class B" *should* be called ever since CIDR happened oh about a decade or so ago). The biggest problem with trying to go to a /8 isn't the actual simulation of a /8, it's trying to make a /8 that somebody will *believe* (remember, there's only 256 /8s in the entire IPv4 space, and every single one is accounted for). 10/8 is probably the only one you could get people to believe - but that is of limited utility... And on the flip side - if you're trying to emulate an entire /8, you will need a way to make the routing look right from the attacker's point of view, and not break anything. This has *two* sides: 1) If you're faking (for example) the 12/8 net, you won't attract any packets from anyplace that has a BGP feed that draws those packets towards ATT Worldnet (the real owner of 12/8). So you only see packets from people "upstream" from you. 2) You better be ready for your upstream users to raise holy heck with your support desk on why ATT just fell off the net.... Moral: You *really* want to make the honeynet be an otherwise "dark" subnet of your own address space.
Attachment:
_bin
Description:
Current thread:
- Hardware Performance of Honeyd Sol_Invictus (Jan 11)
- Re: Hardware Performance of Honeyd Valdis . Kletnieks (Jan 12)
- Re: Hardware Performance of Honeyd Arthur Clune (Jan 12)
- Re: Hardware Performance of Honeyd David Watson (Jan 12)
- Re: Hardware Performance of Honeyd Michael Bailey (Jan 16)
- Re: Hardware Performance of Honeyd Valdis . Kletnieks (Jan 12)