Honeypots: Re: profiling honeypots..

["Bernie, CTA" <cta () hcsin net>]

On 7 Apr 2003, at 1:06, nigel () 26354 net wrote:

> I've heard that attackers have been building their own list of
> sites and addresses that use Honeynet servers. 
>
> Has anyone heard anything in relation to this? 
> --
bhh>>>
I would presuppose, given the number of expedients and 
automated heuristic tools currently available, which an attacker 
may use for target discovery and identification that a list of 
honeypots/honeynets exists. Moreover, just as one may use 
penetration test to help fingerprint and model Attack 
Taxonomies for live systems, wouldn't an attacker develop 
Defense Taxonomies for honeypots?

As I see it, the two main problems with most honeypot 
implementations are that they exhibit predictable or identifiable 
probe/attack response characteristics, and their locations are 
typically indiscreetly disclosed. My suggestion is that we think 
about ways to interject controlled chaos (noise) into the design 
of a honeypots response to probes and attacks, in order to 
simulate the unpredictable behavior of active systems.
-

-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************