Honeypot as a Service (opens in new tab)

(haas.nic.cz)

108 pointsadamsurak5y ago13 comments

13 comments

> You install and run the HaaS proxy application, downloadable from our website

Said website is a GitLab repo without a release artifact in sight, so I guess “downloadable” means you can download the source code, compile it yourself, and figure out how to set it up on your own.

Sure makes it easy to join...

coderintherye5y ago

This is great, but why not join forces with Project Honeypot? https://www.projecthoneypot.org/

teruakohatu5y ago

If a honeypot is widely used, won't scammers just detect the honeypot? or even just detect latency from their connection being proxied elsewhere?

pfundstein5y ago

You are giving these script kiddies far too much credit.

The authors of the tools they use may try to implement honeypot detection, but that's fruitless cat & mouse game, and to what end?

Assuming "honeypot" based on latency is a fool's errand because many legitimate things can induce latency.

LinuxBender5y ago

Targeted attacks will eventually figure out the honeypot, though may trip over it a bit and create some noise. Hopefully this causes someone to look at the attacker. This can also be useful forensic data to provide to the authorities.

Bots doing initial discovery won't figure it out. I have the same bots trying to log into my SFTP server today that have been trying for years. It's not even a honeypot. I literally create accounts for all the bots with a null password in hopes they one day upload something neat.

spicyramen5y ago

I wrote my dissertation using honeypots and in VoIP you can actually act as a real system and pretend you have been hacked by emulating real system behavior, in this case PSTN. Most of the scammers wouldn't dare to check each system as they normally attack ranges of ip addresses

yellow_lead5y ago

> won't scammers just detect the honeypot

It's fairly difficult to detect a well-made honeypot.

>even just detect latency from their connection being proxied elsewhere

Not if the attacker is legitimately placed far away from you. Also, from my experience these bots have very large timeouts set.

PappaPatat5y ago

This submission is a better honeypot than the software link it points to. It has not been updated (latest blog entry 19/02/2018, latest code release Jul 30 2018).

Honeypots are high maintenance, or easy detectable.

Better example (disclaimer, I might have had something to do with this when it was being developed) is the DT Honeypot initiative.

Website: https://sicherheitstacho.eu/start/main

Code (Deutsche Telekom AG Honeypot Project on 01 Apr 2019): https://dtag-dev-sec.github.io/

sytse5y ago

This is a great early detection mechanism for malware.

Providers like Crowdstrike https://www.crowdstrike.com/ already aggregate results of malware scans for customers.

This is different because it is National CSIRT of the Czech Republic and because it is a honeypot, it will let the attacker use more commands.

waihtis5y ago

Self plug: founder at https://www.avesnetsec.com and launching something like this as a SaaS-offering very soon - doing limited access trials right now and expect full launch in 4 weeks' time.

Some of the comments here around usability echo our early customer feedback very much - which is why we want to be as smooth on the plug and play side as possible.

gitgud5y ago

> "Your computer stays safe because all communication is redirected to our server."

Won't they see the packets hopping to other devices via a command like 'traceroute'?

imnotjames5y ago

Depends on what networking layer they're proxying. Layer 4 with something like PROXY protocol and it's not as easy to tell.

CoughlinJ5y ago

Last update, 2018. Cool.

j / k navigate · click thread line to collapse