Web Honeynet Project IDs Attackers

narramissic writes "The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF, is putting a new twist on Web application honeynets by naming not only the attack details, but the IP addresses and other tracking information about the attackers as well. As security consultant Brent Huston notes, 'This approach is not unheard of, as lists of known high-volume attackers have been circulating through the Net for several years, but this is the first time someone has applied the honeynet concept to making attacker IP data publicly known.'"

Lawsuits?

[beakerMeep]

I wonder if it's just a matter of time before someone sues them for defamation. But still a good thing they are doing. the more pressure on spammers the better.

Re:Lawsuits?

[deft]

I believe defamation is when you say somebody did something they -didn't- do. otherwise you're just stating a fact. (I could be wrong though.)

For instance, I could say your post was legally incorrect; and if I'm right, then that is a fact, not defamation. If I said you're a big doo doo head for doing that.... defamation!

(making it the first declaration of defecation description defamation ever).

Re:

[cheater512]

And since when has that stopped anyone? They'll try anyway.

Re:Lawsuits?

[beakerMeep]

I think you have it backwards

as far as i know you can call me a big doo doo head all you want. but what you cant say is that my post is "killing babies in 3rd world contries" (who knew my post had that kind of power?). The point is though just because the lawsuits would be baseless if the spammer really -did- spam, that isnt something that has prevented someone from suing and pretending they arent a spammer to win damages and intimidate the anti-spam community.

for more on defamation: http://en.wikipedia.org/wiki/Slander_and_libel [wikipedia.org]

Burden of proof on the defendant

In most legal systems the courts give the benefit of the doubt to the defendant. In criminal law, he or she is presumed innocent until the prosecution can prove guilt beyond a reasonable doubt; whereas in civil law, he or she is presumed innocent until the plaintiff can show liability on a balance of probabilities. However, in defamation tort, this burden of proof is reversed: the defendant has the burden to prove the truth of the defamatory communication. The plaintiff only has the burden of proving that the publisher made the statement and that the statement was defamatory, the untruth of that statement is then presumed.

# Opinion is a defense recognized in nearly every jurisdiction. If the allegedly defamatory assertion is an expression of opinion rather than a statement of fact, defamation claims usually cannot be brought because opinions are inherently not falsifiable. However, some jurisdictions decline to recognize any legal distinction between fact and opinion. The United States Supreme Court, in particular, has ruled that the First Amendment does not require recognition of an opinion privilege.

Re:

[WrongSizeGlass]

as far as i know you can call me a big doo doo head all you want. but what you cant say is that my post is "killing babies in 3rd world contries"

I promise not to call you a 'big doo doo head' if you promise to restrain your posts in a fashion that prevents them from harming those poor babies in 3rd world countries, because let's face it, Madonna can't save them all.

Won't somebody think of he children!

Re:

[cryptor3]

I feel like the grandparent's point is that truth is an ultimate defense for a charge of slander/libel. And I see that your point is that you have a right to state whatever opinion statements you want, and that spammers have won their suits even though they probably didn't deserve to. But no matter how shocking his statement about you is, if it is true, he has a right to say it. Yes he might go to court for it, if he can prove it, no one can fault him for doing making that statement.

If your post really d

Re:

[HiThere]

You're ignoring the costs.
If you could prove that it was true, but can't afford the legal fees, you lose anyway.

Re:

[deft]

ah yes, because the doo doo head thing would be my opinion, the babies death would be a lie... and thats the defamation. im allowed to say you're an asshat in my opinion.... just not a murdering asshat.

so not entirely backwards.

Re:

[Threni]

Exactly. I know website owners who get angry but ignorant people complaining that the site owners are sending them spam (their details are being given as spoof return addresses). Now other innocent people will have their machines taken over and used in all manner of ways and someone will add their IP address to a list of `known spammers` or hackers or whatever. I guess that's easier than doing the job properly.

Re:Lawsuits?

[discord5]

But still a good thing they are doing

*cough* PROXY *cough*

Seriously, anyone doing something nasty on the net is using a proxy, either one from the lists, tor or another hacked machine. Publishing these IP addresses is complete rubbish. It'll point to some machine on the net along a chain of connections.

Yes ... and no.

[khasim]

Publishing these IP addresses is complete rubbish. It'll point to some machine on the net along a chain of connections.

If the crackers know what they're doing, the logs on the proxy are going straight to /dev/nul so they don't ever leave a trace on the hard drive.

BUT there is a chance that the local law enforcement can put a sniffer on that connection at the ISP level and track the connection that way.

The major problems with that is ...
#1. Coordinating law enforcement efforts in various countries

#2. Educat

Re:

[Lord Ender]

Brent is aware of this. It is still useful to know which networks have security so lax that they are regularly used as hacking proxies.

Re:

[FLEB]

The number of proxies that intentionally allow attacks can be filtered. The proxies and zombies that don't can remedy the problem... or be filtered.

Re:

[Kream]

For those running Linux, pf also runs on Gentoo :)

Re:

[ArcherB]

Don't mod posts as offtopic when they are in response to another post. Mod the parent as offtopic!

By the way, I hope they make an example out of a few of these punks. I would really like to see them let loose in a room full of the IT departments that they attacked.!

Re:

[Achromatic1978]

By the way, I hope they make an example out of a few of these punks. I would really like to see them let loose in a room full of the IT departments that they attacked.!

Me too. I picture a bunch of dorks attacking someone with underarm odour, fetid breath, and if they really want to get hardcore on his ass, their Darth Maul lightsabers.

If this can happen...

[houstonbofh]

Think of this as a first step. Next more honeynets start making lists, and a new realtime blackhole routing list is born! Stop the botnets at the gates of the core. More bandwidth for everyone, and the people cut off will get the hint to fix/patch the damn PC!

Re:

[hadhad69]

and the people cut off will get the hint to fix/patch the damn PC!

Or Dells customer service hotline will start getting bombarded even more so than it is already!

Re:If this can happen...

[AlHark]

It definitely would make for a great block list for mail servers and security appliances. One simple thing email admins can do to stop BotNet traffic is to drop SMTP connections that do not have a reverse PTR DNS record, generally ISP's only assign reverse DNS to IP addresses that have services running on them (i.e.: email, web, ftp, etc.). Although I have seen quite a few IP's ordinating in Asia that have reverse DNS PTR. We drop traffic with no reverse dns and it stopped a huge number (about 85%) of dynamic IP's and end user IP connections without causing any problems for legitimate SMTP traffic. The flood became a trickle...

Re:

[WaXHeLL]

And you may also lose out on a significant portion of very small businesses and individuals who aren't willing to pay the "fees" that are associated with PTR DNS records.

Re:

[AlHark]

The whole point is to limit reverse DNS PTR records to only IP address (i.e.: servers, gateways, routers, etc.) that have legitimate services running like: email, DNS, email, WWW, FTP, SQL, etc. End users and small business do not need (read: should not have) reverse DNS records unless they are running in-house services such as those mentioned above.

Re:

[Short Circuit]

If you really want to only accept mail from a computer that has mail services running, why not send a SYN packet to port 25 of the sending IP, and see if you get a RST packet in response?

You don't have to set up a full connection, and you can set a timeout for waiting for the reponding packet. (Though, if it were me, I'd probably have a cache table I'd check against first. If I receive 4000 emails from a server, I don't want to SYN flood the poor thing.)

Re:

[AlHark]

sending a syn packet to port 25 only verifies that a service is indeed running on that port, it won't tell you if it is a legitimate mail server or other SMTP service. While of course a reverse DNS record doesn't tell you either it does reduce the amount of SMTP connections from non legitimate sources. SPF records can help along with reverse DNS to weed out BotNet and Trojaned PC traffic as well as spammer operations as they rarely have reverse DNS records either, due to the fact that they move around so mu

Re:

[Anonymous Coward]

So "legitimate" is defined as "paying for the reverse DNS record", not as "Someone intended to set up a mail server to use"?

Re:

[dwayrynen]

It used to be, though it's not so popular any more, that web servers defaulted to collecting in-addr.arpa names for the incoming browser requests. If the incoming ip didn't have something set up for it's reverse ptr record, the web server would stall out trying to obtain that information. This lead to increased load on the web server (and why it's not the default any more) and a really bad browsing experience for the web client.

Any service provider that has users on ips without ptr records is doing a diss

Re:

[AlHark]

with SMTP, it depends on the mail server software and what you set it up to do, most modern mail software you can set options on incoming (SMTP) and outgoing (POP) mail. For instance we use Alt-N Mdaemon mail server software and it has several excellent options you can set on SMTP connection, one of which is to drop SMTP connections with no reverse record. Nearly all legitimate mail server (probably 99.9% of them) have reverse DNS PTR records, because without them mail would fail a good bit without a revers

Re:

[redcane]

I have set up my own mail server so I can tune my mail filtering to my own liking, and not have to rely on whichever ISP I'm using at the moment (I'm happy to switch ISPs when I find a better deal). Of course I also save money by not paying for ISP spam filtering. I would have to pay extra to get a reverse DNS PTR, but my email server sends no spam. Unfortunately it sometimes gets blocked, bit of a hassle, but I just generally don't talk to those people or I don't give them my business. There's plenty of pe

Re:

[AlHark]

I have never heard of of an ISP charging to add a simple reverse DNS PTR record for an IP, it takes like 1/2 second to add one to a DNS record. If they have assigned you a static IP address you should be able to get the reverse record added for nothing as it is just a DNS update.

Re:

[chaosite]

Well, its not "realtime". When do you remove a patched zombie machine? After a month? 2 weeks? This solution doesn't take into account the hordes of otherwise legitimate zombie machines. It won't stop attackers, IMO.

Re:

[140Mandak262Jamuna]

OK, someone had such poor security that his/her machine gets rooted. Why should it be anyone else's responsibility to mark it legitimate as soon as it has been fixed? Why should it be easy to re-legitimize machines/ip addresses that get compromised. Let them jump through the hoops. Let them suffer a little. May be it will serve as a lesson for others to take security seriously.

Only when the consequences of allowing one's machines to be zombified is serious and high people will take security seriously.

Re:

[faloi]

Only when the consequences of allowing one's machines to be zombified is serious and high people will take security seriously.

"I never could get that darn cable modem to work right after a while. So I swapped to DSL and it's fine again!"

I think you're overestimating the people this is likely to catch. Most companies are likely to have reasonable security. Most knowledgeable home users are going to have reasonable security. It's the guy that has no idea what they're doing that's going to get in troubl

Re:

[PopeRatzo]

And I'm betting they're just as likely to swap service providers as they are to think something's wrong with their box.

How many times you think they're going to do that? How many ISPs are there in most places. They'll get the message. And if they don't... 'ef 'em.

Re:If this can happen...

[Monoman]

A more effective method would be to redirect web clients to a page explaining they are being blocked/quarantined, why they are being blocked, and how they can become unblocked.

I'm sure it would be next to impossible to get this system up but its one idea.

Re:

[dwayrynen]

Simplicita ZBX http://simplicita.com/ [simplicita.com] does something like that now, but it's for blocking your own users traffic prior to letting it out onto the Internet at large, not for redirect clients on the network the users are browsing.

Re:

[chaosite]

Because the system is really ripe for abuse.

All you had to do to get an IP banned, is show some honeypot logs. Maybe spoof some IPs. Too easy.
Its the same problem really with todays spam black lists. Its really hard to get off one, because the second you get into one (even via a joejob) people assume you're guilty.

Societal problem, meet technological solution, etc, etc...

Re:

[140Mandak262Jamuna]

Well, there should be consequences for falsely implicating an innocent party. Yes, it would be very difficult for the innocent party to prove its innocence. But when it does, the accuser should lose credibility too. Heck, with the amount of traffic slashdot gets, (netcraft ransk slashdot traffic to be in the top 100 most visited sites) slashdot is able to be relatively spam free. Even wikipedia with its high ranking is able to get some kind of usable trust building system. A similar networks of trust can be

Yeah but where?

[jginspace]

I looked for the data mentioned in the summary and all I could find was this from the Securiteam blog [securiteam.com] (posted Jan 12). Is that it? Interestingly it says the name of the project has been changed from "Web Honeynet Project" to "Web Honeynet Task Force".

This may just exacerbate the botnet issue.

[Short Circuit]

This may just exacerbate the botnet issue. Think about it; if most attacks are relayed through bots, and bots are vulnerable Windows machines, then this kind of effort is only publicizing lists of IPs where vulnerable Windows machines reside.

That sounds like a dream-come-true for attackers.

Re:This may just exacerbate the botnet issue.

[CdBee]

Some attackers are more direct, though

Recently I, through curiosity, had a look at the website of the North Korean government while using a PC that had a software firewall but wasn't behind a NAT router. Literally seconds later the machine reported sustained attacks using several vectors, all originating from a range of 4 IPs located in Seoul, S.Korea.

I wonder if the democratic peoples's republic (hah!) of North Korea knows its web server is apparently being monitored...

Re:

[Aladrin]

That's just the first layer, though. Once about 20 attackers hit the same machine, the person is going to notice that their 'intarwebs are teh slow' and either get a friend to 'fix' it (probably with an OS reinstall) or take it to a shop, where the same thing is likely to happen if they are that infected. If they take it to the shop, they're likely to get the protection they need, and if their friend has to fix it 3 weeks in a row, they're likely to take it to a shop when he screams at them.

Things usually

Re:

[Short Circuit]

I run a free pc clinic [grc4.org], and I've seen people wait up to a year before getting their computer fixed. Usually, though, it's more like three or four months, and that's only if the computer is unusably slow.

While handing out fliers on Wednesday, I encountered people who were certain their computers had viruses, but hadn't planned to do anything about it.

The followup you're describing sounds like the ???? stage in the standard three-step business plan.

Re:

[Aladrin]

Some people will always be idiots. You can't stop that. The rest of the world can be helped.

As for the 'usually three or four months' ... Perhaps that's just the subset of the population that you've seen. When providing things (or services) for free, you get different people than when you charge. They typically tend to be the people who aren't willing to pay. Those who -are- willing to pay will generally look up a computer shop in the phone book and use that, instead of looking for a free service.

It m

Re:Good thing.

[Technician]

Think about it; if most attacks are relayed through bots, and bots are vulnerable Windows machines, then this kind of effort is only publicizing lists of IPs where vulnerable Windows machines reside.

Not a problem. When 50 or so botnet herders all try to use the same pasture, the overgrazing will kill it off. Problem of zombies is solved as they melt down.

Re:

[Short Circuit]

I'll believe it when I see it.

More likely, botnet software will start incorporating anti-malware functionality targetting competing bots.

ID's the *attacker*

[nurb432]

Unlikely. Its more like they ID the comprised machine the attacker is using.

Bad idea.

Re:

[eli pabst]

Agreed. This doesn't sound like a really well thought out plan. It's pretty doubtful that anyone doing large scale scanning is doing it directly from their home machine, but rather relay it through hosts on the bot net. So it's likely that they are really going to be accusing grandma and grandpa of cracking because they didn't patch their windows98 machine. I could see if they are trying to do something useful like dshield and informing people that their systems are cracked, but that doesn't sound like

quote is wrong

[SaberTaylor]

http://www.dshield.org/ [dshield.org] collaboratively collected ip addresses that were showing up in log files. At first you could search broadly but probably due to the various worms with backdoors such as CodeRed, they switched it to just looking up 1 ip address at a time.

Project Honeypot

[erica_ann]

I signed up at http://www.projecthoneypot.org/ [projecthoneypot.org] for a similar type of aservice last year. This one is a distributed system for identifying spammers and the spambots they use to scrape addresses from your website.

This one shows Harvester Visits to Your Site(s), email Addresses Issued on Your Site(s), Spam Received at Your Addresses, and global statistics. They also show an ip list from harversters and track it.

how effective?

[bcrowell]

I wonder how effective this can really be. I get a lot of traffic on my server from clients that may be attempting to DOS me, or may just be running poorly behaved webscraper scripts, e.g., scripts looking for blogs and wikis they can spam, which end up requesting the same large URL three times in one second. So far I've been able to keep them from giving me a lot of downtime, through a combination of mod_evasive and some homebrewed scripting. When I do a reverse DNS on them, they typically look like they'r

Re:

[houstonbofh]

Well, as a given ISP finds more and more of his IP addresses unable to get into more and more of the net, they may decide to start filtering the zombies at there gateway. Make them deal with there own spew... It worked for spam hosting domains. (But this was before spammers moved to bots nets. Actually it was WHY spammers moved to bot nets.)

Ok. I give up. Where's the list?

[mnemotronic]

I must be in the brainless zone today. I cannot find this highly publicized and promoted list of IP numbers. We got articles, we got links, but IP numbers? Ogg not find. Ogg feeling stupid. Embarrass family. Ogg need know if his IP number on list, even though he regularly change router's [dd-wrt.com] WAN ethernet number, get new IP from glomcast [comcast.net]. Ogg spend much time nmapping [insecure.org] spammers. Running nessus [nessus.org]. Ogg probably on someone's list as troublemaker. Ogg not care. Tired of UEC not from wild boar.

Slight copy of another existing project

[mrkitty]

http://www.webappsec.org/projects/ [webappsec.org]

This project is already gathering data and will be publishing the results shortly.

Know-nothing user, but I like this idea!

[quixote9]

I'm one of those people who could be hosting a bot and not even know it. (Just for the record, I try to make sure I don't, but I have no guarantees of success.) I'd really LIKE a system that turned off the traffic WITH A WARNING MESSAGE ABOUT WHY. I could understand if they didn't tell me how to fix it, since that would presumably differ on different systems. It would be a relief to know that in spite of my ignorance, I didn't have to worry about being part of the problem.

Legal Defamation Info from EFF

[chameleon_skin]

I've often wondered *exactly* what is required to prove defamation, so I did some digging.

This is from the EFF [eff.org], giving good guidelines on what constitutes defamation.

Note that what makes this really tricky for the online world is that in most cases defamation is a state matter, not a Federal one, making jurisdiction a tough issue. Different states have different qualifications for defamation, one of the most relevant being whether or not the defendant knowingly made false statements about the plaintiff

My list

[id]

Every time someone spams/annoys/generally pisses me off I add them to a block list

http://fu.ckers.org/fuckers.txt [ckers.org]

Legality of honeypots

[harshmanrob]

I work at a pretty large multi-national and I have talked with the lawyers about honeypots from time to time and basically they are divided amongst themselves of if the honeypots are even legal to begin with. One of them is convinced that a honeypot is entrapment.

Already being done

[Salty Pirate]

These guys are already doing this via web honeypot and pushing in real time the IP list to our firewall. http://www.autoshun.org/ [autoshun.org] It updates on the fly depending on the threat. Makes me sleep better at night.