Honeypots: Re: results of the first honeyd challenge (dynamic honeynet?)

["Wim Mees" <Wim.Mees () vision rma ac be>]

Agreed but I got the impression the original poster specifically wanted to
have IP addresses within his DHCP scope.

I can imagine a situation where you have a L2/L3 VLAN/subnet address space
layout with in every subnet a fixed scope (e.g. 10.x.y.100-199) for the
dynamically assigned addresses. A hacker would easily learn by passively
monitoring the network how the addresses are assigned in this organisation
and specifically target certain attacks to the workstations in the dynamic
scopes, which tend to be less frequently patched than the servers with fixed
IP addresses, where the event logs are not scrutinized, etc.

In that case the hacker/mapper will not step into your honeypots that are
right outside the DHCP scopes. A honeypot that was able to "talk to the DHCP
server" would allow you to disseminate your honeypots within the scope
already partially populated by "real" workstations.

This is perhaps a "marginal" case but I wonder if any existing honeypot
solutions address it ?

Wim

----- Original Message -----
From: "Niels Provos" <provos () citi umich edu>
To: "Wim Mees" <Wim.Mees () vision rma ac be>
Cc: "Lance Spitzner" <lance () honeynet org>; <honeypots () securityfocus com>
Sent: Tuesday, April 01, 2003 4:40 PM
Subject: Re: results of the first honeyd challenge (dynamic honeynet?)


> On Tue, Apr 01, 2003 at 09:42:55AM +0200, Wim Mees wrote:
> > If the DHCP server then hands out this address to a client, this client
will
> > in turn probe with an ARP request to see whether this IP address is
really
> > really free. Since you don't block the client, its ARP request will be
> > received by the honeypot and will receive and ARP reply from arpd. As a
> > result, the client will not accept the lease :(
> You can configure arpd to take IP addresses from certain IP ranges.
> You just need to make sure that there is no overlap with the IP
> address range of the DHCP server.
>
> Niels.