[plug] Building a "minefield/tarpit" for worms

Bernd Felsche bernie at innovative.iinet.net.au
Wed May 31 21:07:51 WST 2006


"Senectus ." <senectus at gmail.com> writes:
>On 31/05/06, Bernd Felsche <bernie at innovative.iinet.net.au> wrote:
>> "Senectus ." <senectus at gmail.com> writes:
>> >On 31/05/06, Daniel J. Axtens <danielax at gmail.com> wrote:

>> >> As Daniel pointed out, this sort of thing is called a honeypot - just
>> >> googling honeypot will get you started. There is also a honeypots
>> >> mailing list on securityfocus.

>> >Unless it's for research purposes, I fail to see why this is a good idea...

>> I don't actually want to attract probes. I just to blow their legs
>> off if they tread on my minefield. :-)

>> That should reduce their ability to probe other machines.

>But in all reality a honey pot just wastes your bandwidth. 

It's not a honey-pot I want. I don't wish to *attract* attacks.

>I don't think a trojan/virus has been created in years that doesn't
>multicast it's scans.. so even though I thinks it's found a way in
>on your system it's going to keep looking elsewhere anyhow. in the
>mean time your bandwidth gets eaten up by a resistant piece of code
>trying to solidify it's infection.  seem very futile to me.

It depends what you do with the attacking host and its information.

For example:

If the host is obviously sending spam, then I can for example 
t a l k   r e a l l y   s l o w l y .... and appear to drop lots of
packets to slow down their sender. Eventually, after painfully
receiving the entire message at a few bytes per second, it could
issue a response
    "554 Thank you for registering your open relay"
but most spammers don't listen anyway.

Meanwhile, the IP of that host can be registered as an open relay in
a number of lists.  And LARTs are issued to (ir)responsible owners
of the domain. 

I can do a whois lookup and add the source's netblock CIDR to a
private blacklist.

Despite my use of several open relay lists, I *still* get about a
hundred attempts every HOUR to send emails to bogus addresses
ineptly harvested from the Internet and Usenet.

OTOH: if the attacker is looking trying to penetrate another known
vulnerability (e.g. ports 139 or 445), then they can be allowed to
waste their time trying their attack on a very poorly connected
virtual host.

Again; auto-LARTs could be sent, which has the potential to have the
offending machines/sites/networks disconnected.

The motivation for doing this sort of thing is to increase the
probability of offenders being caught and to increase their cost of
operation.
-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | "Laws do not persuade just because
 X   against HTML mail     |  they threaten."
/ \  and postings          | Lucius Annaeus Seneca, c. 4BC - 65AD.




More information about the plug mailing list