Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Building a Honeypot

By in News
Mon Mar 20, 2000 at 05:12:24 PM EST
Tags: Security (all tags)

In an addition to his three part series "Know Your Enemy" Lance Spitzner tells us about how to track black-hats [i.e. potential or actual intruders] while they probe and compromise a system.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o "Know Your Enemy"
o Lance Spitzner
o track black-hats
o Also by

Display: Sort:
Building a Honeypot | 10 comments (10 topical, editorial, 0 hidden)
This article could use a better wri... (none / 0) (#2)
by Strider on Mon Mar 20, 2000 at 10:04:50 AM EST

Strider voted -1 on this story.

This article could use a better write-up. It would be beneficial if you define black-hats and give us some description on the utility of this article. I am an electrical engineer, and I don't know tons about the whole computer guru scene. thanks.
"it's like having gravity suddenly replaced by cheez-whiz" - rusty

Not only usefull, but also potentia... (none / 0) (#1)
by fvw on Mon Mar 20, 2000 at 10:22:03 AM EST

fvw voted 1 on this story.

Not only usefull, but also potentially VERY amusing, if you are secretly modifying their changes etc. Definately recommended for a rainy sunday afternoon.

Hmmm, what could you do... (none / 0) (#5)
by error 404 on Tue Mar 21, 2000 at 11:11:12 AM EST

I'm not an expert on hacking, but I wonder just how much you could mess with an

If the intruder were a specific spy, you could always provide interesting
information - a little insider trading with toxic data, for example - but the
intruder seems to be attacking at random.

So what could you do? Let the intruder steal some, um, buggy software? Trojan
horse the trojan horses?

Electrical banana is bound to be the very next phase
- Donovan

[ Parent ]
Re: Hmmm, what could you do... (none / 0) (#10)
by fvw on Sat Apr 08, 2000 at 07:28:42 PM EST

No, but you can make the system react in very 'abnormal' ways. (modify their
files subtly for instance). And then the intruder tries to figure out what's
going wrong.... And you try and imagine their face.

[ Parent ]
It'd be nice to have a little more ... (none / 0) (#3)
by fluffy grue on Mon Mar 20, 2000 at 02:39:37 PM EST

fluffy grue voted 0 on this story.

It'd be nice to have a little more information, perhaps a summary or detailed description in the extended text.
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]

More on honeypots (4.00 / 1) (#4)
by joeyo on Mon Mar 20, 2000 at 07:37:11 PM EST

RobertGrahm.com has several infosec documents. This one has some info on honeypots.

(Sorry for the bold but I couldn't see the links in preview...)

"Give me enough variables to work with, and I can probably do away with the notion of human free will." -- demi

Re: Building a Honeypot (3.00 / 1) (#6)
by rascal on Tue Mar 21, 2000 at 05:55:08 PM EST

The thing to remember about honey pots is that they are difficult to setup and you risk running into someone who knows more than you. Unfortunately most people read about them in 'An evening with beresford' and think it would be a jolly good idea to have a go. But, if you do get taken and someone realises they are in a pot they may just decide to have a pop at you for irritating them - Ddos rubbish. That said the back-officer type solution can give you a useful handle on what's happening.

Re: Building a Honeypot (none / 0) (#7)
by Inoshiro on Wed Mar 22, 2000 at 12:13:08 AM EST

True. I would've liked the article better if the author had listed the specific steps to making it harder for the system to be truly rooted, besides just "secure syslog to an alternate host" ..

Methinks it's time I wrote an article on this subject ;-)

[ イノシロ ]
[ Parent ]
Re: Building a Honeypot (4.00 / 1) (#8)
by caliban on Wed Mar 22, 2000 at 05:08:27 AM EST

You misread. The author clearly made the point that he _didn't_ want to harden the system. It was as stock as possible, but behind a firewall. In this case the goal isn't to avoid being rooted, its the opposite, he wants to investigate 'black hat' modus operandi as they go about rooting...

[ Parent ]
Re: Building a Honeypot (none / 0) (#9)
by rascal on Wed Mar 22, 2000 at 05:50:24 PM EST

The purpose of a full honeypot is to allow a user into a restricted 'view' of the system that the assailant believes is the real machine. It's often a chrooted environment complete with a 'root' user. Thing is chroot can be broken - the happyhacker people ran this system for a while which you could try and crack at least one attack I saw was through a lib to get out of chroot. Now if you get properly rooted the system is no longer under your control and anything could happen. Bellovin made some tools he spoke of but never released them as far as I can see. They seem to have made heavy use of a sniffer and some of their actions really only look like they worked because the assailant was on a slow link so they had time to respond.

[ Parent ]
Building a Honeypot | 10 comments (10 topical, 0 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!