[ale] Ale-topic

Michael H. Warfield mhw at wittsend.com
Thu Feb 13 10:05:19 EST 2003


On Wed, Feb 12, 2003 at 11:24:54PM -0500, tom wrote:
> Although I work at night usually and cannot attend Ale meetings much
> anymore, I would love to hear a presentation on honeypots. This seems
> like a new exciting way to catch hackers. I would even volunteer to help
> in some way if needed.

	If you think honeypots are "an exciting way to catch hackers" you
will be sadly disappointed.  I run a major research honeynet and I know
of very few hackers that are caught that way.

	They are valuable tools, if you know what you want to do with them.
They are dangerous tools with potential legal liabilities attached if
you don't.  They can also rapidly become man-power intensive time sinks.

	I like Mark Spitzner's definition of a honeypot.  It's a resource
whose value is in being attacked.

	A honeynet is a network (virtual or real) of such resources.

	A research honeypot or honeynet is used to study hackers / crackers /
intruders (whatever you want to call them), malware / worms / MSTDs
(MicroSoft Transmitted Diseases), exploits, rootkits, whatever...
It's not there the "catch hackers".  It's there to study them and
their techniques, amongst many many other things.  We caught some of
the very first samples of the "Dynamic Trojan Horse Network" worm
(unwise.exe) captured in the wild using my research honeynet.  We
catch their tools, their exploits, and their malware.

	A production honeypot (sometimes referred to as a "canary" as in
a "canary in a coal mine") is not for studying attacker techniques, it's
only there as attack bait.  Like having a fake logging server behind your
firewall.  It's used for detecting attacks when someone breaks into a system
and then tries to poke at your (fake) log server that it points at.
It makes intrusion detection systems more effective, but it's not intended
to actually be broken into (most of the time).  It's just there to draw
attack to where an IDS can spot it readily.

	Research honeypots are NOT to be taken lightly.  They do NOT
protect systems at all.  Some people think "Oh, I'll set up this honeypot
and they'll leave my real systems alone".  Wrong answer.  The honeypot
will attract attackers who would otherwise have ignored you and they will
then use your honeypot as a staging area to attack your systems or other
peoples systems, if you haven't set them up properly (or, often, even
if you have) or maintained them.  Remember, a research honeypot is
expected to have hostile liveware visiting.  They can be expected to
figure out it's a honeypot their on, given enough time.

	But honeypots and honeynets would be an interesting talk.  I
might be talked into such a presentation it would have to be later
down the road.  I've got a couple stacked in a holding pattern right
now and I'm fleshing out one on IPv6 that I would like to do first
(either here at ALE or at AUUG - haven't decided that or when yet).

> tom

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature




More information about the Ale mailing list