Hi all,
That was a recent paper at USENIX security 05 , so yes *it has been done
before*. But still a promising field of research, trying to maximize how
this is done practically. The name they gave to such a "switch" is shadow
honeypots, which I believe is a trendy name.
http://dcs.ics.forth.gr/Activities/papers/replay.pdf
Best,
Jesus
On 10/14/05, Harry Hoffman <hhoffman_at_ip-solutions.net> wrote:
>
> Hmm,
>
> I think something similar to this can be done with Xen.
>
> http://www.cl.cam.ac.uk/Research/SRG/netos/xen/readmes/user/user.html#SECTION02430000000000000000
>
> Although I believe you have to migrate all processes and memory.
>
> This might actually be fun to play with
>
> Cheers,
> Harry
>
>
>
> Stejerean, Cosmin wrote:
> > What you mentioned sounds a lot like a bait and switch honeypot. I
> believe
> > the idea is to migrate both the process in question and the connection
> to
> > the honeypot so if a vulnerable server is exploited with a buffer
> overflow
> > attack the process will be migrated to the honeypot and any connection
> from
> > the attack will be redirected to the honeypot. This would be a step
> further
> > than regular network based bait and switch honeypot because the HIDS
> would
> > be able to detect when a process makes unusual system calls etc, as well
> as
> > transfer the process image and everything else to the honeypot.
> >
> > The difficulty is in carefully migrating the process over and deciding
> what
> > can or cannot be migrated.
> >
> > Cosmin
>
>
Received on Oct 16 2005
Intro
