The hackers' honey-pot overload

I've been looking at several online sources that describe how to build a honey pot for hackers who attempt to break into your network. By giving people who gain access illegally to your network a fake honey pot of information you can keep them away from the real stuff you are trying to protect.

However my idea would be to open the doors a little more to the hackers.

When people port scan my network the firewall notes the scan taking place and 'locks' the user's IP address out for X number of minutes. This lets the user know right away that a particular IP address and port are not available.

My suggestion is for the firewall to respond with a 'yes' command to EVERY port and EVERY IP address even if it's not a real desktop, server or piece of hardware.

When people scan my networks if, I could find a way to answer with an FTP or TELNET login prompt to every single port on a given IP address then think of the amount of time a hacker would waste simply providing false login/password to every single port on an address. Even if you did mask a real FTP or TELNET in there on a non-standard FTP or TELNET port then would hackers really try to provide a username/password to a process that only asks but never verifies the user information on every single port on only one machine? That could take hours for only one machine to be scanned.

If a network FTP scan answered on every single IP address with a randomly generated set of filenames with "username" and "password" and the defaults think of how much time would be wasted looking and sifting through all of those dead files.

Even port scanners that look for 'open' ports would be overloaded if all 65,000 ports responded with a 'yes' command. Where would you start looking for ways to gain access? By only showing the ports that are open you are limiting the ways to attack you. Having all of them open would make it more difficult and a great deal more time consuming to scan networks. You would never know what is good and what is just waisting your time.

Systems could be programmed to display falsifed server name data on port 137-139 for Windows networks. When hackers see server names such as CAUGHTYA and STOPSCAN they might realize what's happend.

That alone might discourage most hackers.

A few points to think about if you're going to build a honeypot:

1. Hackers ('crackers' for you slashbots in the audience) are not stupid. A machine with every port open is obviously a honeypot, and will be ignored. You have to make the machine look interesting and vulnerable without being too obvious about it. Think about it - if you're trying to catch burglars, would you put the trap behind a door that said "TREASURE ROOM - BURGLARS PLEASE IGNORE" in flashing yellow neon?

2. Open ports actually make scans run faster. Most scanning programs have a variety of techniques to find open ports, but in essence they are all the same - Send some data to each port, and wait for a response. If there's no response after a few seconds, the port is probably closed or firewalled off. If you have every port open, the server will respond on every port, and the scanner does not have to wait for the timer to expire to decide if each port is closed.

3. Having every port respond as if it were a ftp or telnet server is uninteresting. Nobody sits around trying random usernames and passwords. For the most part, your average hax0r is going to be looking for exploitable services. You want to make the machine look as if it's running an old version of Red Hat or Solaris - something that is widely known to be remotely rootable. Similarly, old versions of bind, wu-ftpd, sendmail, and rpc.mountd are widely known to be easily exploited. Making your honeypot pretend to have common security holes is a great way to confuse and annoy. But remember:

4. Don't get cocky. Nothing will make a would-be hacker redouble his efforts more quickly than some mocking message saying "HAHA_CAUGHTYA_J00_ARE_LAME". There's a great big 'net out there, and there are hundreds of other machines much easier to penetrate than yours. You want him to waste his time, get bored, and leave. Mocking him presents a new and interesting challenge. That's when the trouble starts.

Personally, I have my doubts about the usefulness of honeypots, but if you're gonna build one, use your head. You're building this machine to lure people in. This means you will attract attention. Don't be surprised if eventually someone sees past your clever ruse and hits you where it hurts.