I've been looking at several
online sources that describe how to build a
honey pot for
hackers who attempt to break into your
network. By giving people who gain access
illegally to your network a fake honey pot of
information you can keep them away from the real stuff you are trying to protect.
However my idea would be to open the doors a little more to the hackers.
When people port scan my network the firewall notes the scan taking place and 'locks' the user's IP address out for X number of minutes. This lets the user know right away that a particular IP address and port are not available.
My suggestion is for the firewall to respond with a 'yes' command to EVERY port and EVERY IP address even if it's not a real desktop, server or piece of hardware.
When people scan my networks if, I could find a way to answer with an FTP or TELNET login prompt to every single port on a given IP address then think of the amount of time a hacker would waste simply providing false login/password to every single port on an address. Even if you did mask a real FTP or TELNET in there on a non-standard FTP or TELNET port then would hackers really try to provide a username/password to a process that only asks but never verifies the user information on every single port on only one machine? That could take hours for only one machine to be scanned.
If a network FTP scan answered on every single IP address with a randomly generated set of filenames with "username" and "password" and the defaults think of how much time would be wasted looking and sifting through all of those dead files.
Even port scanners that look for 'open' ports would be overloaded if all 65,000 ports responded with a 'yes' command. Where would you start looking for ways to gain access? By only showing the ports that are open you are limiting the ways to attack you. Having all of them open would make it more difficult and a great deal more time consuming to scan networks. You would never know what is good and what is just waisting your time.
Systems could be programmed to display falsifed server name data on port 137-139 for Windows networks. When hackers see server names such as CAUGHTYA and STOPSCAN they might realize what's happend.
That alone might discourage most hackers.