Fog Creek Software
g
Discussion Board

Honeypot?

Interesting discussions regarding the Half-Life source hijacking.  Major questions on how secure a system connected to the 'net can really be.

Question:  anyone here ever set up and run a honeypot?  If so, can you give some idea as to the level of port scans a typical system connected to the Internet might see?  I've seen all kinds of annecdotal stories about an unprotected system attached to the 'net and in something like five or ten minutes it was somehow compromised. 

Your experiences?

Mitch & Murray (from downtown)
Friday, October 3, 2003

I used to log my firewall connections on a dsl line.  I got portscanned once every week or so, max.  But I wasn't on a large well known network.

On my new cable modem, the transfer light is always blinking out of control, even if I unplug everything from the output of the cable modem.  I would assume a fair amount of that traffic is malicious.

At UC Davis, to add more anecdotal stories, there was a guy (old coworker) that installed RedHat linux to four computers, for a class on securing them.  He did this at about 8:30am or so.  By the time the class started at 10, they were all rooted.

The more well-known the network you're on, the more bad traffic you're going to see.

My opinion, is that its like playing Roulette if you want to leave an un-firewalled and un-patched system on the network.

Andrew Hurst
Saturday, October 4, 2003

I can't really help you here, but I will add another twist to the subject. The first time I read about honeypots, the big problem mentioned wasn't technical, but legal.

I can't find the article, but the first hit on a google search by «honeypot legal» was this:

http://www.securityfocus.com/infocus/1703

Paulo Caetano
Saturday, October 4, 2003

See The HoneyNet Project at http://project.honeynet.org/ for  info on Honeypots. There are several whitepapers on "Know your enemy..." that are interesting. 

Karl
Saturday, October 4, 2003

I agree with a comment made by a previous poster about  the type of network you're on being a contributing factor the number of scans one received.

Being resident on a broadband network guarantees lots of scans. I rarely see a full port scan on my systems (cable 'modem' at home and ADSL at work), usually only a few ports are probed (21,25,80,135,137-139 and 445 (netbios) along with some others commonly used for trojans)

I do see a lot of what I presume to be automated web scanning scripts looking for well known IIS holes.

Quite a lot of work on honeypots was/is done by Lance Spitzner, ex-US Army personnel. If you're interested his websites ( http://www.honeynet.org and http://www.spitzner.net ) have a lot of his research papers, tools, etc.

I have run a honeypot on my home connection at times, it's interesting to see some of the nefarious uses the people who compromise the box put it to. It can be quite a balancing act to make the honeypot not too much trouble (and hence worth the effort) for someone experienced whilst keeping the script kiddies out. Case in point: http://www.theregister.co.uk/content/55/31707.html

Eponymous Biro
Saturday, October 4, 2003

Educational institutions seem to be a big target.  The computer science faculty of my alma matter blocks all incoming connections from .ru and a dozen other domains to the undergraduate computer.  There was a basically stock RedHat box set up for a programming competition and it was hacked.  I know of one other computer that someone took a pass at, but the network administrators noticed the strange traffic and unplugged it.  However, it's very random.  There are dozens of completely unprotected boxes that never get touched. 

Having a high speed link isn't always a guarantee of constant hack attempts.  Smaller companies and non-US companies can have much less problems.  I logged my cable modem for a while and the only unwanted traffic I ever got was Windows networking packets from someone else on the cable loop. 

D
Saturday, October 4, 2003

I have a cable modem and I installed ZoneAlarm before buying a Linksys router. I had a number of ports probed every evening when my computer was on. ZoneAlarm reported no more attempts after I installed Linksys.

coresi
Saturday, October 4, 2003

Sorry not to have the 'new way of thinking' about honeypots, but unless you have the resources to watch them carefully, do research and justify the time and costs involved, then ignore it.

Think about what value it will bring, and how much resources it will take.

fw
Saturday, October 4, 2003

fw has a fair point.

Working in the IS security department I have more than a superficial interest.  Your honeypot could potentially be put to uses that land you in hot water with your ISP. I have never run a honeypot at work as there is no need, and I certainly wouldn't consider it 'taking the initiative' to set one up.

One could obviously restrict the outbound connections that can be made from the machine, but it's not something to run on a whim. The honeypot needs to be properly isolated from the rest of your machines or you could get more than you bargained for.

Eponymous Biro
Sunday, October 5, 2003

I run an SMTP honeypot that masquerades as an open relay.  When someone tries to use it as a relay, it pretends to, but runs really slowly.  I like wasting spammers' time and the code is relatively simple and maintenance-free.  Plus, its fun to see what they try to send.

Lee
Monday, October 6, 2003

*  Recent Topics

*  Fog Creek Home