Honeypots

Re: DNS honeypots?

Wed, 03 Mar 2010 15:32:42 GMT

Posted by Jason Ross on Mar 03

But it would have the advantage of allowing you to capture further
traffic for analysis through whatever tools you choose.

Re: DNS honeypots?

Wed, 03 Mar 2010 15:27:05 GMT

Posted by Alexandre Dulaunoy on Mar 03

We have used various techniques to make DNS honeypots. But there is
an easy to do "fake" DNS server using Net::DNS::Nameserver :

http://search.cpan.org/~olaf/Net-DNS/

You can even find a simple example in the POD :

http://search.cpan.org/~olaf/Net-DNS/lib/Net/DNS/Nameserver.pm

If you want to make a low-interaction nameserver, you can filter
the request and answer to limit the malicious queries but still gain
information by doing and...

Re: DNS honeypots?

Wed, 03 Mar 2010 15:00:23 GMT

Posted by Brent Huston on Mar 03

Likely nothing today, most malware isn't smart enough to figure that out.

Re: DNS honeypots?

Wed, 03 Mar 2010 14:44:13 GMT

Posted by Jason Lewis on Mar 03

Slightly related, I was wondering what might happen if I made every
query to the honeypot resolve back to the honeypot?

Re: DNS honeypots?

Wed, 03 Mar 2010 14:21:42 GMT

Posted by Brent Huston on Mar 03

One of the tactics our clients use is that they stand up one of our HoneyPoint Agents on a decoy box and then send all
malicious and failed queries to that IP address. The HoneyPoint Agent then absorbs the traffic for analysis.

You can find a little bit about it from one of our customers here, they wrote it up with us: http://hurl.ws/cbhp

Let me know if that helps!

Re: DNS honeypots?

Wed, 03 Mar 2010 02:56:08 GMT

Posted by chr1x on Mar 02

This post looks pretty interesting!

Let's analyze your requirement:

1. Logging malicious queries
2. Reject/Deny any possible dns attack attempt

Well, from my point of view, going from the Honeypot concept which is
track hackers, probably the best way that you can follow is to setup an
IPS instead a Sensor. Personally, I don't see the purpose to have
"Reactive" honeypot if the objective of a honeypot is to be the most
open possible...

Re: DNS honeypots?

Tue, 02 Mar 2010 23:33:48 GMT

Posted by Jason Lewis on Mar 02

I just figured I'd setup something to log access and see what shows
up. I wasn't planning on directing traffic to the system.

Re: DNS honeypots?

Tue, 02 Mar 2010 23:22:28 GMT

Posted by Jason Lewis on Mar 02

Cool, this is the kind of thing I was thinking of doing. I was hoping
I wouldn't have to reinvent the wheel.

Thanks.

Re: DNS honeypots?

Tue, 02 Mar 2010 22:59:13 GMT

Posted by Jason Ross on Mar 02

There's quite a lot of (bad and good) bots "out there" looking for DNS
servers, particularly ones that appear to permit recursive queries to
the Internet. Just leaving a box on the net that meets those criteria
will collect a fair amount of queries.

Re: DNS honeypots?

Tue, 02 Mar 2010 21:53:10 GMT

Posted by Valdis . Kletnieks on Mar 02

On Tue, 02 Mar 2010 15:00:43 EST, Jason Lewis said:

Out of curiosity, how do you get traffic directed to the honeypot without
listing it in an NS entry for an SOA? Give it a hostname like ns1.exampe.com
and hope that works?

Re: DNS honeypots?

Tue, 02 Mar 2010 20:52:21 GMT

Posted by Jason Ross on Mar 02

Below is how I've got BIND set up in Debian Linux for a similar purpose.
It sends all the queries to a log file, and returns an A record (and MX)
of whatever value you'd like (I used RFC1918 space for this example).

Not sure it's perfect, but it works pretty well for my purposes.

Cheers,

Re: DNS honeypots?

Tue, 02 Mar 2010 20:24:08 GMT

Posted by Tillmann Werner on Mar 02

Jason,

No need to run a server, you can simply sniff DNS traffic destined to
that box. If you don't want to send back an ICMP port unreachable
message, just block them using a packet filter.

I have some DNS sniffer code for exactly that purpose I can send to you
off-list if you are interested. tcpdump does the job, too, but mine
integrates DNS processing and logging (for IN/A record queries via UDP).

Tillmann

DNS honeypots?

Tue, 02 Mar 2010 20:08:05 GMT

Posted by Jason Lewis on Mar 02

Anyone have any pointers to dns honeypots or maybe just BIND
configurations that would allow logging of malicious queries without
actually executing them?

Honeynet Project Forensic Challenge 2010/2 - browsers under attack

Sat, 27 Feb 2010 20:01:26 GMT

Posted by christian . seifert on Feb 27

The Honeynet Project has revived an successful program from the past: The Honeynet Project Forensic Challenge 2010. The
purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze
attacks and share their findings, Forensic Challenges give the security community the opportunity to do so. In the end,
individuals and organizations not only learn about threats, but also learn how to...