[unisog] DDoS IRC bots

Peter Van Epp vanepp at sfu.ca
Thu Mar 6 15:57:26 GMT 2003

On Wed, Mar 05, 2003 at 10:20:44PM -0800, Bill McCarty wrote:
> <snip> 
> Despite opinions that compromises commonly result from null passwords, I've
> so far been unable to verify that attack vector. I do have TCP 445 traffic
> that might have taken advantage of the lack of a password. However, my
> primitive honeypot is not well instrumented, so it's hard to determine the
> attackers' actions. I'm currently developing tools to remedy this lack.
> Meanwhile, I plan to deploy honeypots with and without passwords and
> thereby hope to determine if the absence of a password is an important
> factor.

	I would have thought that a machine running tcpdump with a snap length
of 1510 (assuming Ethernet as input) to capture all packets in and out of the
honeypot machine's ethernet interface (without an IP address on the interface
doing the sniffing to prevent it being compromised!) would be the first element 
of your honeypot simply for liability reasons. How do you know who (and if) 
your machine is attacking outside your net after being compromised without 
that? How do you assess that your machine may have become too great a threat 
to someone else on the net? While I have to admit that I have never had any
reaction except thanks (and sometimes disbelief until logs of the breakin are
supplied :-)) when argus finds an attack lauched from here by compromised 
machines, I expect there are some people who would call the lawyers instead 
even if I have been lucky enough to not run in to any yet ...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list