File this under "Know Your Enemy:"
Generic attacks against a honeypot: Blind your enemy is written by someone who wants to figure out how to defeat honeypots. He reads Spitzner's Honeypots: Tracking Hackers and deduces that the way to defeat honeypots is to launch denial-of-service attacks against them. Of course, since the whole point of a honeypot is to lure in unsuspecting hackers, the question is how you figure out a system is real or just a snare:
"Next, we build our list of signatures against known tools that are used in the architecture, a few examples would be those of analyzing and studying Snort, VMware etc .. interesting, to detect if ur in a VMWare box, its pretty easy (just check for some registry entries .. it takes just some lines of code to detect if the process is running in a simulated VM box)."
In other words, somebody might be building a honeypot detector.
I've posted a link to the above on our intrusion detection links page. If you know other resources that should be listed there, click the "Add a resource" link on that page or let me know.
Back to CompendiumOk Black Hat go ahead and check for VMware.
But, if we fake those entries and simulate a VMware environment you will stop hacking my systems and launch a DoS attack? Hmmmmm...
I think this is very interesting. The article is talking more about defeating obvious decoys. Good stuff though a bit unclear without actual code and examples.
In short this is a good project hehe ;-).
Posted by: who cares on September 19, 2003 06:23 AMI want to know about the methods of packet filtering for honeypot setup in linux
Posted by: Anil on January 7, 2004 03:23 AMPost a comment
