OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Erick Arturo Perez Huemer (eperez_at_compuservice.net)
Date: Mon Jul 29 2002 - 03:16:42 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At first it seems interesting to poke theirs so they poke yours..but
    this has the nasty side of "waking up the beast" Who knows what kind of
    attacks with a former way-high destination will end up destroying the
    rest of your network and the honeypot.

    Obviously, before doing this, one must be sure to run the honeypot in a
    block *not* so close to your real company network, so scanners wont find
    you easily (we learnt that the hard way).

    One curious thing is that down here in Central America, our group ran a
    honeypot in two of the backbones in my country for 6 months last year
    and 65% of probes/hacks/etc were coming from the Asia ring, the rest
    came from a combo of US/UK/Germany/Brazil.

    Pretty good things were shown in the logs, firewalls were
    disabled/crashed, IDSs corrupted....thank god is was a test network.

    But we learned a very good lesson. We will *not* poke around again,
    until we are prepared for a massive incoming. Maybe we "disturbed"
    someone's probe to who knows where and he retaliated...

    The bad news is that the more connected our region becomes, the more
    probes we will get and hacks will go way up in the charts.

    My two cents,

    Erick A. Perez H.
    Asesor de Seguridad informatica
    y TeleComunicaciones
    Panama, Republica de Panama
    Tel. (507) 226-6217
    Movil. (507) 652-4889 (24 horas)
    PGP ID: 0xF4FAF330
    PGP Fingerprint: 3B75 C625 03CD 5304 3266
                     D3A2 AFEC C89B F4FA F330

    > -----Original Message-----
    > From: Jose Nazario [mailto:josemonkey.org]
    > Sent: Domingo, 28 de Julio de 2002 02:06 p.m.
    > To: honeypotssecurityfocus.com
    > Subject: Re: Honeypots vs Penetration testing
    >
    >
    > have you considered the opposite type of honeypot? rather
    > than having a dormant sytem lie in wait for an attacker, have
    > you considered have it
    > (automatically) do something to attract an attacker?
    >
    > some things come to mind:
    >
    > a) have it sit with an irc client on hostile networks, like
    > efnet and undernet. look for compromise attempts via the
    > client.
    >
    > b) scan/poke at known hacker networks. see who comes back to
    > poke back (hopefully harder).
    >
    > sometimes you want to wait, like a ninja, for your enemy to
    > show up. some other times you want to really lure them in,
    > entrap them with suggestions that something delicious awaits
    > a curious mind.
    >
    > other times you want to drive them into your traps. to quote
    > jack ryan from "the hunt for red october", "the hounds to the
    > hunters".
    >
    > i suggest you start thinking about new ways to find hackers :)
    >
    > ___________________________
    > jose nazario, ph.d. josemonkey.org
    > http://www.monkey.org/~jose/
    >