Honeypots
DNS honeypots? Mar 02 2010 08:00PM
Jason Lewis (jlewis packetnexus com) (5 replies)
Re: DNS honeypots? Mar 03 2010 03:24PM
Alexandre Dulaunoy (adulau gmail com)
Re: DNS honeypots? Mar 03 2010 02:20PM
Brent Huston (lbhlists gmail com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:38PM
Jason Lewis (jlewis packetnexus com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:55PM
Brent Huston (lbhlists gmail com) (1 replies)
Re: DNS honeypots? Mar 03 2010 03:29PM
Jason Ross (algorythm gmail com)
Re: DNS honeypots? Mar 02 2010 09:48PM
Valdis Kletnieks vt edu (2 replies)
Re: DNS honeypots? Mar 02 2010 10:57PM
Jason Lewis (jlewis packetnexus com)
Re: DNS honeypots? Mar 02 2010 10:57PM
Jason Ross (algorythm gmail com)
Re: DNS honeypots? Mar 02 2010 08:49PM
Jason Ross (algorythm gmail com) (1 replies)
Re: DNS honeypots? Mar 02 2010 11:11PM
Jason Lewis (jlewis packetnexus com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:49AM
chr1x (chr1x sectester net)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This post looks pretty interesting!

Let's analyze your requirement:

1. Logging malicious queries
2. Reject/Deny any possible dns attack attempt

Well, from my point of view, going from the Honeypot concept which is
track hackers, probably the best way that you can follow is to setup an
IPS instead a Sensor. Personally, I don't see the purpose to have
"Reactive" honeypot if the objective of a honeypot is to be the most
open possible possible, talking about vulnerabilities on network/local
services ready to receive tons of attacks.

Anyway, the only way more closer to the thing that you are looking for
is to setup Snort in your DNS server, configure just the rules for DNS
attacks, and see if exist a way to drop the dns packets that comes from
the attacker side, but probably looking here could help:

http://snort-inline.sourceforge.net/

The difference between normal snort installation and snort-inline is
that this 2nd take actions to the packets that snort detects, in this
case, probably after you configure the DNS service, the DNS
rule-detection and the snort-inline config, you can have a very nice
"reactive" honeypot :D

Hope this helps Jason.

Best regards,

Christian

On 02/03/2010 05:11 p.m., Jason Lewis wrote:
> Cool, this is the kind of thing I was thinking of doing. I was hoping
> I wouldn't have to reinvent the wheel.
>
> Thanks.
>
> On Tue, Mar 2, 2010 at 3:49 PM, Jason Ross <algorythm (at) gmail (dot) com [email concealed]> wrote:
>> On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis (at) packetnexus (dot) com [email concealed]> wrote:
>>> Anyone have any pointers to dns honeypots or maybe just BIND
>>> configurations that would allow logging of malicious queries without
>>> actually executing them?
>>>
>>
>>
>> Below is how I've got BIND set up in Debian Linux for a similar purpose.
>> It sends all the queries to a log file, and returns an A record (and MX)
>> of whatever value you'd like (I used RFC1918 space for this example).
>>
>> Not sure it's perfect, but it works pretty well for my purposes.
>>
>> Cheers,
>> --
>> Jason
>>
>>
>>
>> root dir: /etc/bind
>>
>> ========
>> named.conf
>> ========
>> include "/etc/bind/named.conf.options";
>>
>> zone "." IN {
>> type master;
>> file "/etc/bind/db.wildcard";
>> };
>>
>>
>> ========
>> named.conf.options
>> ========
>> options {
>> directory "/var/cache/bind";
>> allow-transfer { none; };
>> listen-on-v6 { any; };
>> };
>>
>> logging {
>> channel query_log {
>> severity info;
>> print-time yes;
>> file "query.log" versions 5 size 50M;
>> };
>> category queries {
>> query_log;
>> };
>> };
>>
>>
>> ========
>> db.wildcard
>> ========
>> $TTL 604800
>> @ IN SOA localhost. root.localhost. (
>> 2009102201 ; serial
>> 604800 ; refresh
>> 86400 ; retry
>> 2419200 ; expire
>> 604800) ; negative cache ttl
>>
>> @ IN NS localhost.
>> * IN MX 10 mail.
>> * IN A 192.168.3.101
>>
>>
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com
>> Version: 9.0.733 / Virus Database: 271.1.1/2719 - Release Date: 03/02/10 13:34:00
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLjc4qAAoJEC7eoa2EW6vfzMYH/iwhpgpqO8wDJmJnVsK4cTOc
0UGXmzLN6r3egHSVnDocIWTmHE8xw1cyCa1tsbHOwLNDSB/ybT9f5xyoEkya24G4
TmtgzJLC5cODBuVqrGpVCxvNnqaHUgCmZrlHwmGQfXUFOALM91hBGm0aHG6StC4o
IUG7Dsg7J+4yrrw3v4R8bu63qyngrY9XhxHd+9Q2bos2KfcSXgOrbdWL5VTKLIrE
hlatnh/GPrCdxP05YXLHGLPHXsTOwr8AEpFjOgZRJQS9oFrZMHkvQ9O8SJBrgAae
RsR4wzGYErhLGjgI92RuDP4f7aMv18s2MT505ZB3JqeWiqVJeuIVuFklCOHcxo8=
=z+il
-----END PGP SIGNATURE-----

[ reply ]
Re: DNS honeypots? Mar 02 2010 08:18PM
Tillmann Werner (tillmann werner gmx de)


 

Privacy Statement
Copyright 2010, SecurityFocus