Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Erick Arturo Perez Huemer (eperez_at_compuservice.net)
Date: Mon Jul 29 2002 - 03:16:42 CDT
At first it seems interesting to poke theirs so they poke yours..but
this has the nasty side of "waking up the beast" Who knows what kind of
attacks with a former way-high destination will end up destroying the
rest of your network and the honeypot.
Obviously, before doing this, one must be sure to run the honeypot in a
block *not* so close to your real company network, so scanners wont find
you easily (we learnt that the hard way).
One curious thing is that down here in Central America, our group ran a
honeypot in two of the backbones in my country for 6 months last year
and 65% of probes/hacks/etc were coming from the Asia ring, the rest
came from a combo of US/UK/Germany/Brazil.
Pretty good things were shown in the logs, firewalls were
disabled/crashed, IDSs corrupted....thank god is was a test network.
But we learned a very good lesson. We will *not* poke around again,
until we are prepared for a massive incoming. Maybe we "disturbed"
someone's probe to who knows where and he retaliated...
The bad news is that the more connected our region becomes, the more
probes we will get and hacks will go way up in the charts.
My two cents,
Erick A. Perez H.
Asesor de Seguridad informatica
Panama, Republica de Panama
Tel. (507) 226-6217
Movil. (507) 652-4889 (24 horas)
PGP ID: 0xF4FAF330
PGP Fingerprint: 3B75 C625 03CD 5304 3266
D3A2 AFEC C89B F4FA F330
> -----Original Message-----
> From: Jose Nazario [mailto:josemonkey.org]
> Sent: Domingo, 28 de Julio de 2002 02:06 p.m.
> To: honeypotssecurityfocus.com
> Subject: Re: Honeypots vs Penetration testing
> have you considered the opposite type of honeypot? rather
> than having a dormant sytem lie in wait for an attacker, have
> you considered have it
> (automatically) do something to attract an attacker?
> some things come to mind:
> a) have it sit with an irc client on hostile networks, like
> efnet and undernet. look for compromise attempts via the
> b) scan/poke at known hacker networks. see who comes back to
> poke back (hopefully harder).
> sometimes you want to wait, like a ninja, for your enemy to
> show up. some other times you want to really lure them in,
> entrap them with suggestions that something delicious awaits
> a curious mind.
> other times you want to drive them into your traps. to quote
> jack ryan from "the hunt for red october", "the hounds to the
> i suggest you start thinking about new ways to find hackers :)
> jose nazario, ph.d. josemonkey.org