Defeating Honeypots: Network Issues, Part 1

    Date30 Sep 2004
    4151
    Posted ByAnthony Pell
    To delude attackers and improve security within large computer networks, security researchers and engineers deploy honeypots. As this growing activity becomes a new trend in the whitehat community, the blackhats study how to defeat these same security tools. . . . To delude attackers and improve security within large computer networks, security researchers and engineers deploy honeypots. As this growing activity becomes a new trend in the whitehat community, the blackhats study how to defeat these same security tools. Though not everyone agrees on the power of honeypots, they are effective and are being deployed as tools -- and blackhats are already working to find ways to exploit and avoid them. The cyber battle continues.

    The purpose of this paper is to explain how attackers typically behave when they attempt to identify and defeat honeypots. This is not an exhaustive description of all the tools and methods that are publicly known (or unknown), but this article will help security teams who would like to setup or harden their own lines of deception-based defense. After some theoretical considerations, we will discuss some technical examples to emphasize our explanations. This two-part paper will focus on network issues. Further papers will move to the system world and the application layer.

    1. Theory

    This article discusses actions lauched by attackers remotely, far away from a honeypot, as well as local actions launched on a compromised honeypot using the network layer. Beyond the scope of this article, if you're interesting in learning more technical issues from the underground regarding techniques used to defeat honeypots, you should definitely come to the next PacSec meeting in Tokyo, organized by Dragos Ruiu. [ref 0]

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"4","type":"x","order":"1","pct":100,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.