Re: Honeypot detection and countermeasures

From: Lance Spitzner (
Date: 06/24/03

  • Next message: Trygve Aasheim: "SV: Honeypot detection and countermeasures"
    Date: Mon, 23 Jun 2003 22:01:09 -0500 (CDT)
    To: Dragos Ruiu <>

    On Mon, 23 Jun 2003, Dragos Ruiu wrote:

    > On June 23, 2003 06:58 am, Rob Shein wrote:
    > > This wouldn't work. Seeing the packets/traffic on the wire doesn't tell
    > > you the tools that are used, and it also doesn't really give you much else.
    > > Considering that a honeypot is either not really rootable (DTK) or is very
    > > low hanging fruit (and very rootable, like a system), they
    > > either won't see tools downloaded to the system or won't see anything more
    > > than the bare minimum needed to exploit a system that is too vulnerable to
    > > begin with.

    *sigh*, its misconceptions like these that create confusion. Honeypots
    are an extremely powerful and flexible tool that comes in many shapes
    and sizes. Everything from Honeyd which can deploy millions of virtual
    honeypots on your network, to more advance high-interaction honeypots,
    such as ManTrap or Honeynets. This does not even take into consideration
    concepts such as honeytokens or honeypot farms.

    In reference to your concern of easy to break in systems, a great deal
    of research is going into more advance honeypot deployments. Examples
    include HotZoning or Tiering. HotZoning is when all 'bad' traffic
    is directed to honeypots. Tieiring is honeypots of different
    complexity levels, where advanced attackers are lured into more
    difficult honepyots.

    Second, you are falling into the common trap of the break in. The most
    interesting tools we have seen were not the ones used to break into
    honeypots, but the ones used afterwards. Things like IPv6 tunneling
    to hide traffic, remote commands using IP proto 11, or advance CC
    Fraud. We have even seen exploits being developed in real time. This
    information has been used to help OS vendors change their patching

    If you have not looked at honeypots in a while, I recommend you give
    them a quick reivew. They have made radical advances in the past
    several years.

        Honeypots: Definitions and Values


    Latest attack techniques.

    You're a pen tester, but is still your R&D team? Now you can get
    trustworthy commercial-grade exploits and the latest techniques from a
    world-class research group.

    Visit us at:
    or call 617-399-6980

  • Next message: Trygve Aasheim: "SV: Honeypot detection and countermeasures"

    Relevant Pages

    • Re: Honeypot detection and countermeasures
      ... I think you presume too much about honeypots. ... And it's also possible to instrument them with many other monitoring ... Lately the Honeynet Alliance folks have been deploying ... Latest attack techniques. ...
    • RE: SV: Honeypot detection and countermeasures
      ... If you lump LaBrea in with these honeypots, then the check is trivial ... > But it's a truly RARE penetration test team that will ... > Latest attack techniques. ...
    • RE: Honeypot detection and countermeasures
      ... would you pay big bucks for someone to run Nessus ... Regarding honeypots - as Lance said, there are many, many types of ... hardened server in a special DMZ. ... Latest attack techniques. ...
    • Re: Honeypot detection and countermeasures
      ... > honeypots from being detected. ... to test the security of the complete organization, and here I'm being, I ... Latest attack techniques. ...