Re: [fw-wiz] DNS Names for external services

On Mon, 26 Apr 2010, Morty Abzug wrote:

On Fri, Apr 23, 2010 at 12:20:17PM -0700, david@xxxxxxx wrote:

Likewise, if you don't run an FTP server (or CVS, or POP3, or...),
setup DNS records for those pointing to your honeypot. Use it to
respond in anyway you see fit for defense of your network (blocking
the IP, etc).

What happens when one of your legit users says "I wonder if we have an
FTP server?" and tries ftp.$ just to see if it answers?

if your server is locked down, nothing (other than an additional
failed login)

Re-read above. GP advocated setting up a honeypot on well-known names
that *blocks* the source IP. The problem with this is that if
$legit_user of your company/organization says 'hey, I see
"ftp.$" resolves' and tries it, you will block
$legit_user's source IP.

so an attacker scan you from many different IP addresses, in different orders, and then uses different addresses to attack you.

your approach helps, but will not keep you safe.

David Lang
firewall-wizards mailing list

Relevant Pages

  • very interesting 0day tool... http honeypot in action
    ... home-brew honeypot was hit by something pretty interesting today ... GET requests per second or such, ... As you can see, there's a gap between 14:17 and 14:19, the time attacker ... link to catspace/BIGLOG.txt on my webpage, the crawler will attempt to ...
  • RE: [Full-Disclosure] An open question for Snort and Project Honeynet
    ... A Honeypot is designed to find this kind of information and the ... The intent is to find the attacker ... time figuring out how to circumvent this monitoring than penetrating ... of your pocket and putting it back into the hands of the honest people. ...
  • Re: OTPs
    ... >a Virtual PC program into a flash BIOS, ... I don't see how this would stop a motivated attacker. ... fit the Virtual PC code on the flash BIOS. ... such attacks remain viable despite the small capacity of the flash chip. ...