--- Lance Spitzner <lance (at) honeynet (dot) org [email concealed]> wrote:
> First, many people are including the term 'decoy' in the
> definition. While honeypots can 'decoy', I don't think
> that should be in the definition. The term decoy implies
> "to lure or entrap". Often honeypots don't lure. You just
> put them out there and the bad guys find them on their own
> intiative, nothing special is done to insare the attacker.
> The Honeynet Project has being doing this for years now.

Not sure I agree, Lance. To say you don't do anything "special" to lure
attackers to the honeynet is a bit dubious. You attempt to make your
honeypots look as much like real systems as possible. I would call that
using deception or artifice to insnare your prey.
If I'm a duck hunter I make my decoy look as much like a duck as
possible. I don't try to make it look better than a duck. By making
your honeypots look more like real systems you are making your decoys
look like the things your prey seeks.

I understand the desire to move away from the "negative' words like
decoy and deception but the fact is that is exactly what we're doing
and there's nothing wrong with it. I believe decoy is absolutely the
correct term for the honeynet.

There is a question whether a low-interaction honeypot like honeyd
deployed as an early warning system qualifies as a decoy. In this case
it is more akin to a trip wire or doorway sensor than it is to a decoy.
However, even in this scenario, we are still attempting to make a
"machine" look as much like a real host as possible. Thus, still a
decoy or a lure. When honeyd logs activity it is just like the
fisherman's lure bobbing in the water.

As they say "A rose by any other name..."

-J

[ reply ]