Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: RE: IDS: RE: Honey pots / decoy servers

RE: IDS: RE: Honey pots / decoy servers

Martin Roesch (roeschclark.net)
Thu, 26 Aug 1999 11:16:08 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Martin Roesch: "Re: IDS: RE: Honey pots / decoy servers"
Previous message: Lisbon: "RE: IDS: RE: Honey pots / decoy servers"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

--- On Thu, 26 Aug 1999, Martins, Fernando (Lisbon) wrote: > So Marty... we got an entire C class, and some services running in those fake IPs ... in my last post, will the pings ands traceroutes can detect (if made for example during one week of "alive" checks), can found any kind of standard delays between hosts?

You can model this with the right software. If you're writing a commercial honeypot (for example) it wouldn't be too terribly difficult to write a "facade router" that would mimic delays across gateways and even make it variable at different times of day (less delay after every one has gone home for the day, for example).

> Then ... Marty's first flaw is assuming he know the hacker profile ... never trust that, and go in the 1st place for "nah ... he'll never do it ....too many resorces needed for it" ... we may know some profiles, but my point is HOW BAD this guy wants me?

Actually, I specifically said that you must know a good deal about hacker tools, capabilities, and methods in order to set up a good honeypot. I'll leave it an an excersize for the reader whether or not I know anything about hacking. ;) You can never be sure you know everything about the hacker, so you have to make very good facade services and model the network traffic accurately to make up for that fact.

> > About the level of paranoia ... thats exactly my point, because i allways assume that the attacker's paranoia is bigger then my own ;) > Thats why i must assume that i never know, before being actually attacked (if i can see it of course ...), how and attacker will attack, so, by Marty's rules i'll never be able to have a good honeypot :/ must start the defenition of "nerdspot" or "nutspot" eheh

You can never set up a perfect reproduction of a network in software. There's always going to be something that will make your ruse detectable. Another thing that I consider essential for honeypots is the ability to be rapidly reconfigured, but I'm not going to expound on that one today. :)

> About the "slow roll scans" ... thats what i was asking, when i ask about delays ... and now i add, the chance for each scan on each port being made everytime from diferent sources... (and the paranoia starts ...?)

With a honeypot you at least detect you're being scanned. A lot of times it doesn't matter where the scan is coming from, just knowing that you're being scanned allows the network admins to take measures to protect themselves.

-Marty

-- 
Martin Roesch
roeschclark.net
http://www.clark.net/~roesch

Next message: Martin Roesch: "Re: IDS: RE: Honey pots / decoy servers"
Previous message: Lisbon: "RE: IDS: RE: Honey pots / decoy servers"

This archive was generated by hypermail 2.0b3 on Thu Aug 26 1999 - 20:33:32 CDT