Re: Honeypot detection and countermeasures

On Mon, 23 Jun 2003, Dragos Ruiu wrote:

> On June 23, 2003 06:58 am, Rob Shein wrote:

*sigh*, its misconceptions like these that create confusion. Honeypots are an extremely powerful and flexible tool that comes in many shapes and sizes. Everything from Honeyd which can deploy millions of virtual honeypots on your network, to more advance high-interaction honeypots, such as ManTrap or Honeynets. This does not even take into consideration concepts such as honeytokens or honeypot farms.

In reference to your concern of easy to break in systems, a great deal of research is going into more advance honeypot deployments. Examples include HotZoning or Tiering. HotZoning is when all 'bad' traffic is directed to honeypots. Tieiring is honeypots of different complexity levels, where advanced attackers are lured into more difficult honepyots.

Second, you are falling into the common trap of the break in. The most interesting tools we have seen were not the ones used to break into honeypots, but the ones used afterwards. Things like IPv6 tunneling to hide traffic, remote commands using IP proto 11, or advance CC Fraud. We have even seen exploits being developed in real time. This information has been used to help OS vendors change their patching priorities.

If you have not looked at honeypots in a while, I recommend you give them a quick reivew. They have made radical advances in the past several years.

    Honeypots: Definitions and Values
    http://www.tracking-hackers.com/papers/honeypots.html

lance

You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980