Web Honeynet Project IDs Attackers

← Back to Stories (view on slashdot.org)

Web Honeynet Project IDs Attackers

Posted by Zonk on Friday January 26, 2007 @09:33PM from the they-can-see-youuuu dept.

narramissic writes "The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF, is putting a new twist on Web application honeynets by naming not only the attack details, but the IP addresses and other tracking information about the attackers as well. As security consultant Brent Huston notes, 'This approach is not unheard of, as lists of known high-volume attackers have been circulating through the Net for several years, but this is the first time someone has applied the honeynet concept to making attacker IP data publicly known.'"

16 of 70 comments (clear)

Min score:

Reason:

Sort:

Lawsuits? by beakerMeep · 2007-01-26 21:37 · Score: 3, Insightful

I wonder if it's just a matter of time before someone sues them for defamation. But still a good thing they are doing. the more pressure on spammers the better.

--
meep
1. Re:Lawsuits? by deft · 2007-01-26 21:45 · Score: 4, Informative
  
  I believe defamation is when you say somebody did something they -didn't- do. otherwise you're just stating a fact. (I could be wrong though.)
  
  For instance, I could say your post was legally incorrect; and if I'm right, then that is a fact, not defamation. If I said you're a big doo doo head for doing that.... defamation!
  
  (making it the first declaration of defecation description defamation ever).
  
  --
  
  There's nothing Intelligent about Intelligent Design.
2. Re:Lawsuits? by beakerMeep · 2007-01-26 22:16 · Score: 5, Interesting
  
  I think you have it backwards
  as far as i know you can call me a big doo doo head all you want. but what you cant say is that my post is "killing babies in 3rd world contries" (who knew my post had that kind of power?). The point is though just because the lawsuits would be baseless if the spammer really -did- spam, that isnt something that has prevented someone from suing and pretending they arent a spammer to win damages and intimidate the anti-spam community.
  for more on defamation: http://en.wikipedia.org/wiki/Slander_and_libel
  Burden of proof on the defendant
  In most legal systems the courts give the benefit of the doubt to the defendant. In criminal law, he or she is presumed innocent until the prosecution can prove guilt beyond a reasonable doubt; whereas in civil law, he or she is presumed innocent until the plaintiff can show liability on a balance of probabilities. However, in defamation tort, this burden of proof is reversed: the defendant has the burden to prove the truth of the defamatory communication. The plaintiff only has the burden of proving that the publisher made the statement and that the statement was defamatory, the untruth of that statement is then presumed.
  
  # Opinion is a defense recognized in nearly every jurisdiction. If the allegedly defamatory assertion is an expression of opinion rather than a statement of fact, defamation claims usually cannot be brought because opinions are inherently not falsifiable. However, some jurisdictions decline to recognize any legal distinction between fact and opinion. The United States Supreme Court, in particular, has ruled that the First Amendment does not require recognition of an opinion privilege.
  
  --
  meep
3. Re:Lawsuits? by WrongSizeGlass · 2007-01-26 22:54 · Score: 3, Funny
  
  as far as i know you can call me a big doo doo head all you want. but what you cant say is that my post is "killing babies in 3rd world contries" I promise not to call you a 'big doo doo head' if you promise to restrain your posts in a fashion that prevents them from harming those poor babies in 3rd world countries, because let's face it, Madonna can't save them all.
  Won't somebody think of he children!
4. Re:Lawsuits? by discord5 · 2007-01-27 02:02 · Score: 3, Insightful
  
  But still a good thing they are doing
  
  *cough* PROXY *cough*
  
  Seriously, anyone doing something nasty on the net is using a proxy, either one from the lists, tor or another hacked machine. Publishing these IP addresses is complete rubbish. It'll point to some machine on the net along a chain of connections.
5. Re:Lawsuits? by FLEB · 2007-01-27 05:24 · Score: 2, Insightful
  
  The number of proxies that intentionally allow attacks can be filtered. The proxies and zombies that don't can remedy the problem... or be filtered.
  
  --
  Information wants to be free.
  Entertainment wants to be paid.
  You just want to be cheap.
If this can happen... by houstonbofh · 2007-01-26 22:04 · Score: 4, Interesting

Think of this as a first step. Next more honeynets start making lists, and a new realtime blackhole routing list is born! Stop the botnets at the gates of the core. More bandwidth for everyone, and the people cut off will get the hint to fix/patch the damn PC!
1. Re:If this can happen... by AlHark · 2007-01-26 23:03 · Score: 4, Interesting
  
  It definitely would make for a great block list for mail servers and security appliances. One simple thing email admins can do to stop BotNet traffic is to drop SMTP connections that do not have a reverse PTR DNS record, generally ISP's only assign reverse DNS to IP addresses that have services running on them (i.e.: email, web, ftp, etc.). Although I have seen quite a few IP's ordinating in Asia that have reverse DNS PTR. We drop traffic with no reverse dns and it stopped a huge number (about 85%) of dynamic IP's and end user IP connections without causing any problems for legitimate SMTP traffic. The flood became a trickle...
  
  --
  Allen Harkleroad - www.fivemilliondots.com
2. Re:If this can happen... by chaosite · 2007-01-26 23:04 · Score: 2, Insightful
  
  Well, its not "realtime". When do you remove a patched zombie machine? After a month? 2 weeks? This solution doesn't take into account the hordes of otherwise legitimate zombie machines. It won't stop attackers, IMO.
3. Re:If this can happen... by 140Mandak262Jamuna · 2007-01-26 23:54 · Score: 2, Insightful
  
  OK, someone had such poor security that his/her machine gets rooted. Why should it be anyone else's responsibility to mark it legitimate as soon as it has been fixed? Why should it be easy to re-legitimize machines/ip addresses that get compromised. Let them jump through the hoops. Let them suffer a little. May be it will serve as a lesson for others to take security seriously.
  Only when the consequences of allowing one's machines to be zombified is serious and high people will take security seriously.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
4. Re:If this can happen... by faloi · 2007-01-27 00:03 · Score: 2, Insightful
  
  Only when the consequences of allowing one's machines to be zombified is serious and high people will take security seriously.
  
  "I never could get that darn cable modem to work right after a while. So I swapped to DSL and it's fine again!"
  
  I think you're overestimating the people this is likely to catch. Most companies are likely to have reasonable security. Most knowledgeable home users are going to have reasonable security. It's the guy that has no idea what they're doing that's going to get in trouble. And I'm betting they're just as likely to swap service providers as they are to think something's wrong with their box. Unless you want to pay more for broadband so they can have the manpower necessary to keep up with blocked machines and make the end users aware...
  
  --
  "It is a miracle that curiosity survives formal education." -Albert Einstein
5. Re:If this can happen... by Monoman · 2007-01-27 01:18 · Score: 3, Interesting
  
  A more effective method would be to redirect web clients to a page explaining they are being blocked/quarantined, why they are being blocked, and how they can become unblocked.
  
  I'm sure it would be next to impossible to get this system up but its one idea.
  
  --
  Keep the Classic Slashdot.
Re:This may just exacerbate the botnet issue. by CdBee · 2007-01-27 01:31 · Score: 3, Interesting

Some attackers are more direct, though

Recently I, through curiosity, had a look at the website of the North Korean government while using a PC that had a software firewall but wasn't behind a NAT router. Literally seconds later the machine reported sustained attacks using several vectors, all originating from a range of 4 IPs located in Seoul, S.Korea.

I wonder if the democratic peoples's republic (hah!) of North Korea knows its web server is apparently being monitored...

--
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Re:This may just exacerbate the botnet issue. by Short+Circuit · 2007-01-27 01:55 · Score: 2, Insightful

I run a free pc clinic, and I've seen people wait up to a year before getting their computer fixed. Usually, though, it's more like three or four months, and that's only if the computer is unusably slow.

While handing out fliers on Wednesday, I encountered people who were certain their computers had viruses, but hadn't planned to do anything about it.

The followup you're describing sounds like the ???? stage in the standard three-step business plan.

--
tasks(723) drafts(105) languages(484) examples(29106)
Yes ... and no. by khasim · 2007-01-27 02:56 · Score: 2, Informative

Publishing these IP addresses is complete rubbish. It'll point to some machine on the net along a chain of connections.
If the crackers know what they're doing, the logs on the proxy are going straight to /dev/nul so they don't ever leave a trace on the hard drive.

BUT there is a chance that the local law enforcement can put a sniffer on that connection at the ISP level and track the connection that way.

The major problems with that is ...
#1. Coordinating law enforcement efforts in various countries

#2. Educating the enforcement agencies in those countries

#3. Finally busting the cracker ... and charging him with what? The laws vary depending upon his country.

Even if all of that was accomplished, there would be another zombie master along in a few days to take over the vulnerable machines that are left behind.
Slight copy of another existing project by mrkitty · 2007-01-27 08:28 · Score: 2, Informative

http://www.webappsec.org/projects/

This project is already gathering data and will be publishing the results shortly.

--
Believe me, if I started murdering people, there would be none of you left.