Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: Re: IDS: RE: Honey pots / decoy servers

Re: IDS: RE: Honey pots / decoy servers

Martin Roesch (roeschclark.net)
Thu, 26 Aug 1999 11:03:41 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: JohnNicholsonaol.com: "Re: IDS: RE: Honey pots / decoy servers"
Previous message: Martin Roesch: "RE: IDS: RE: Honey pots / decoy servers"
Next in thread: Grant Parkinson: "RE: IDS: RE: Honey pots / decoy servers"
Reply: Grant Parkinson: "RE: IDS: RE: Honey pots / decoy servers"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

--- > Hi Marty/List, > > When implementing a honey-pot, if an cracker detects the presence of a > deception like toolkit is the attacker not being invited to > login/crack/exploit this pot-o-honey? Is this not similar to a agent or cop > in full uniform holding out a bag of crack and saying, "Take it, take it - I > got this crack for ya, take it." And if your a crack head - your damn well > going to take the goods.

Hi Grant. You're proceeding from a false assumption here. Honeypots don't advertise themselves, they merely sit there and wait for someone to stumble across themselves. Just because there's an attackable service on your network (even a real one) doesn't mean that your network is fair game. The intent has to be there on the part of the attacker before the attack can happen, and that is the important thing to remember when setting up a honeypot.

If it is done properly, a "facade service" should look so much like the real thing that it is indistinguishable from the real thing. If the attacker intends to attack the real thing and thinks he attacking the real thing, we can treat him as if he attacked the real thing.

Rule Number Three of Honeypots: Facade services must provide a level of interactivity sufficient for an attacker to be unable to differentiate between the facade service and its real world counterpart.

> What are the applicable legalities? Could this honey-pot also degrade your > network wide prosecutorial rights - one honey pot designating the entire > network fair game?

No, it's illegal to attack any part of your network no matter what its function!

> Oh oh oh, I like this one - Does this not parallel hanging a bag of CraCK on > a tree in your front yard and then shooting any takers?

Here's an analogy that I like: You keep a jewelry box full of cubic zirconia on the dresser in your bedroom and the real diamonds are in a wall safe in the basement. Is it legal for someone to enter your house and take everything you have just because you left out the zirconia?

-Marty

-- 
Martin Roesch
roeschclark.net
http://www.clark.net/~roesch

Next message: JohnNicholsonaol.com: "Re: IDS: RE: Honey pots / decoy servers"
Previous message: Martin Roesch: "RE: IDS: RE: Honey pots / decoy servers"
Next in thread: Grant Parkinson: "RE: IDS: RE: Honey pots / decoy servers"
Reply: Grant Parkinson: "RE: IDS: RE: Honey pots / decoy servers"

This archive was generated by hypermail 2.0b3 on Thu Aug 26 1999 - 20:33:58 CDT