Web Honeynet Project IDs Attackers

narramissic writes "The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF, is putting a new twist on Web application honeynets by naming not only the attack details, but the IP addresses and other tracking information about the attackers as well. As security consultant Brent Huston notes, 'This approach is not unheard of, as lists of known high-volume attackers have been circulating through the Net for several years, but this is the first time someone has applied the honeynet concept to making attacker IP data publicly known.'"

If this can happen...

[houstonbofh]

Think of this as a first step. Next more honeynets start making lists, and a new realtime blackhole routing list is born! Stop the botnets at the gates of the core. More bandwidth for everyone, and the people cut off will get the hint to fix/patch the damn PC!

Re:If this can happen...

[AlHark]

It definitely would make for a great block list for mail servers and security appliances. One simple thing email admins can do to stop BotNet traffic is to drop SMTP connections that do not have a reverse PTR DNS record, generally ISP's only assign reverse DNS to IP addresses that have services running on them (i.e.: email, web, ftp, etc.). Although I have seen quite a few IP's ordinating in Asia that have reverse DNS PTR. We drop traffic with no reverse dns and it stopped a huge number (about 85%) of dynamic IP's and end user IP connections without causing any problems for legitimate SMTP traffic. The flood became a trickle...

Re:If this can happen...

[Monoman]

A more effective method would be to redirect web clients to a page explaining they are being blocked/quarantined, why they are being blocked, and how they can become unblocked.

I'm sure it would be next to impossible to get this system up but its one idea.

Re:Lawsuits?

[beakerMeep]

I think you have it backwards

as far as i know you can call me a big doo doo head all you want. but what you cant say is that my post is "killing babies in 3rd world contries" (who knew my post had that kind of power?). The point is though just because the lawsuits would be baseless if the spammer really -did- spam, that isnt something that has prevented someone from suing and pretending they arent a spammer to win damages and intimidate the anti-spam community.

for more on defamation: http://en.wikipedia.org/wiki/Slander_and_libel

Burden of proof on the defendant

In most legal systems the courts give the benefit of the doubt to the defendant. In criminal law, he or she is presumed innocent until the prosecution can prove guilt beyond a reasonable doubt; whereas in civil law, he or she is presumed innocent until the plaintiff can show liability on a balance of probabilities. However, in defamation tort, this burden of proof is reversed: the defendant has the burden to prove the truth of the defamatory communication. The plaintiff only has the burden of proving that the publisher made the statement and that the statement was defamatory, the untruth of that statement is then presumed.

# Opinion is a defense recognized in nearly every jurisdiction. If the allegedly defamatory assertion is an expression of opinion rather than a statement of fact, defamation claims usually cannot be brought because opinions are inherently not falsifiable. However, some jurisdictions decline to recognize any legal distinction between fact and opinion. The United States Supreme Court, in particular, has ruled that the First Amendment does not require recognition of an opinion privilege.

Re:This may just exacerbate the botnet issue.

[CdBee]

Some attackers are more direct, though

Recently I, through curiosity, had a look at the website of the North Korean government while using a PC that had a software firewall but wasn't behind a NAT router. Literally seconds later the machine reported sustained attacks using several vectors, all originating from a range of 4 IPs located in Seoul, S.Korea.

I wonder if the democratic peoples's republic (hah!) of North Korea knows its web server is apparently being monitored...