Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Honeypots to Fight Worms

Posted by CmdrTaco on from the we-hates-them-tony dept.

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"

4 of 229 comments (clear)

  1. Reminds me of what AOL did by DaneelGiskard · · Score: 5, Interesting

    Personally I don't like the "launching counter-attacks to clean infected hosts". It reminds me of what AOL did.

    Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/

    Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.

    Oh well, babbled enough, back to work ;)

  2. Re:Counter attacks don't work by IncarnadineConor · · Score: 5, Interesting

    That was proactive, the solution described here is reactive. Rather then using network resources searching for infected computers, it would only respond to infected computers that attempt to infect it. Seems somewhat resonable to me.

  3. Re:Counter attacks don't work by gorfie · · Score: 5, Interesting

    There's a difference between Welchia and this concept though. Welchia *SEEKS OUT* infected hosts, which is why it was so damaging. The honeypot would only attempt to fix machines that are already infected, it wouldn't probe and spread like Welchia.

    However, as another poster said, it's a lawsuit waiting to happen. Even if the project were technically successful, some schmoe out there would try to abuse it somehow.

  4. Honeypot by Anonymous Coward · · Score: 5, Interesting

    I work for a large UK ISP and we have had honeypots in use since the blaster outbreak - they work well.

    If a user is infected and randomly attacks IPs within our network, they eventually hit one of the honeypots. The honeypots flag their account and when they next reconnected they are sent to a 'walled garden' - a dummy DNS RADIUS community where they can only get one webpage, that advises them that they have a virus and provides a download section for removal tools. When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

    There's no legal issues involved with us - we are a residential ISP and stuff like this is covered in T&Cs.