Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Honeypots to Fight Worms

Posted by CmdrTaco on from the we-hates-them-tony dept.

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"

4 of 229 comments (clear)

  1. Re:Honeypot for lawyers by zasos · · Score: 3, Informative

    nevermind... RTFA :) here's what it says in the article: Honeypots are computer elements helping to delude aggressors. On a production network, evil hackers will attack some kind of fake system, losing time in doing so and giving information about themselves and their methods [ref 4]. When a honeypot is a dedicated host uniquely used to delude aggressors, it is supposed to play no role linked to systems in production. This implies that every request directed to the honeypot is suspect. While honeypots are often thought to be used for passive analysis, they can also play an interactive role to deal with worms. Two kinds of honeypots are often used : high interaction: a kind of real host is usually almost sacrificed (called a "sacrificial lamb") on a network while waiting for any aggressor. low interaction: services and/or hosts are simulated (for example, Honeyd by Niels Provos).

    --

    Just because I don't care, it doesn't mean I don't understand. Homer J. Simpson
  2. Re:Honeypot for lawyers by SirLantos · · Score: 3, Informative

    A honeypot is a server that is intentionally left unsecure to lure a cracker in to trying to break in to it.
    It is kind of like leaving your car doors unlocked in the middle of NYC and pointing a video camera at it to see who tries to steal it.

    --
    The flying hamster of DOOM rains coconuts on your pitiful city.
  3. Yes, imagine that.. by kcm · · Score: 5, Informative

    wait, here it is.

  4. Good article by lamj · · Score: 4, Informative

    Overall a very good article. The article could have touch upon the ability for honeypot to help create IDS signature. At current technology level, IDS are mostly still signature based and early detection with honeypot to help with creating IDS signature is very important.

    For active countermeasure (or attack), this has to be done VERY carefully. Remember Max Vision? It's good to fix your own machines, and make sure you only attack and fix yours. Access to unauthorized machines are almost always illegal. If one of your boxes got hacked, the incident response team should get involved and do their investigation, auto-patching without investigation can be a risky thing because you just don't know the extend of the problem. When you fix it, the hacker could have backdoor installed on your box.