From a counter-intelligence perspective, standard honeypot/honeynet technologies have not bared much fruit in the way of web attack data. Web-based honeypots have not been as successful as OS level or other honeypot applications (such as SMTP) due to the lack of their perceived value. Deploying an attractive honeypot web site is a complicated, time-consuming task. Other than a Script Kiddie probing for an easy defacement or an indiscriminant worm, you just won't get much traffic.
So the question is - How can we increase our traffic, and thus, our chances of obtaining valuable web attack reconnaissance?
This project will use one of the web attacker's most trusted tools against them - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.
To find out more information about the project - please see the FAQ
The WASC Distributed Open Proxy Honeypot team will be releasing periodic threat reports of significant activity and trends.
Web Security Threat Report, Volume 1: January - April 2007
Web Security Threat Report, Volume 2: November 2007
InfoWorld - Malware honeypots wait for '08
TechWorld - Researchers eye open-proxy attacks
If you would like to be involved with the project, please contact the project leader - Ryan Barnett (rcbarnettgmail.com)
There are two ways to participate:
You can participate by deploying the WASC Open Proxy Honyepot sensor on your own network. WASC has created a VMware image of the standard sensor. This image includes all of the software to quickly get your sensor up and running with little configuration on the end user's part. You must contact the project leader via email in order to participate. You will then recieve the link location to download the VMware image. You will need to have the free version of VMware player or Server.
Even if you do not deploy a honeypot sensor, we need help with data analysis for the capture traffic. We will provide access to the ModSecurity Management Appliance (MMA) web interface to all project participants. The MMA has built in searching and reporting functions that may be used for batch analysis. We will provide all project participants with a reporting procedure so that we have a consistent process for vetting data prior to releasing to the public.
Insert links to other pages or uploaded files.
Tip: To turn text into a link, highlight the text, then click on a page or file from the list above.
Comments (0)
You don't have permission to comment on this page.