[Snort-users] Re: VERY simple 'virtual' honeypot
dugsong at ...5264...
Fri Mar 8 08:49:10 EST 2002
On Fri, Mar 08, 2002 at 08:19:11AM -0500, Ron Gula wrote:
> Dragon Sensor can use this info to look for traffic to non-existant
> hosts, and traffic to non-existant services on active hosts. Besides
> being a good honeypot, it is also an excellent trickle scan detection
> engine. Scalability is roughyly at the DMZ/class-c level.
at Arbor Networks, we've been doing this kind of blackhole monitoring
as well, but on an unused, globally-announced class A network:
monitoring an entire /8, you see lots of interesting things, including:
- constant worm infection attempts (see the paper above)
- backscatter from victims of source-spoofed DDoS attacks
- widespread host scans for the vulnerability du jour (FTP,
dtspcd, SSH, etc. - you name it, we see it)
- random Internet flotsam and jetsam i have yet to figure out (!)
if there's enough interest, we might release the software we've
written to capture, reassemble, and characterize this traffic
(tentatively called "MasterBaiter" :-)
if our marketing folks don't kill me first...
More information about the Snort-users