Hardware Performance of Honeyd Jan 12 2007 03:40AM
Sol_Invictus (sol haveyoubeentested org) (2 replies)
Re: Hardware Performance of Honeyd Jan 12 2007 06:08PM
David Watson (david honeynet org uk) (1 replies)
Re: Hardware Performance of Honeyd Jan 16 2007 02:04PM
Michael Bailey (mibailey eecs umich edu)
Re: Hardware Performance of Honeyd Jan 12 2007 04:17AM
Valdis Kletnieks vt edu (1 replies)
On Thu, 11 Jan 2007 22:40:38 EST, Sol_Invictus said:
> Our goal is a nice Class B network with random "Configured" systems for more
> info for some good reporting.. My main question is, would this system
> handle a class A honeynet?

Personally, I wouldn't try to make a honeynet much bigger than a /16 (which is
what a "class B" *should* be called ever since CIDR happened oh about a decade
or so ago). The biggest problem with trying to go to a /8 isn't the actual
simulation of a /8, it's trying to make a /8 that somebody will *believe*
(remember, there's only 256 /8s in the entire IPv4 space, and every single
one is accounted for). 10/8 is probably the only one you could get people
to believe - but that is of limited utility...

And on the flip side - if you're trying to emulate an entire /8, you will
need a way to make the routing look right from the attacker's point
of view, and not break anything. This has *two* sides:

1) If you're faking (for example) the 12/8 net, you won't attract any
packets from anyplace that has a BGP feed that draws those packets towards
ATT Worldnet (the real owner of 12/8). So you only see packets from people
"upstream" from you.

2) You better be ready for your upstream users to raise holy heck with your
support desk on why ATT just fell off the net....

Moral: You *really* want to make the honeynet be an otherwise "dark" subnet
of your own address space.

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001


[ reply ]
Re: Hardware Performance of Honeyd Jan 12 2007 03:24PM
Arthur Clune (arthur honeynet org uk)


Privacy Statement
Copyright 2010, SecurityFocus