Hello Kernelmode,
I'm setting up a honeypot system where all honeypots report to a central system.
The question I have is how to expose them to the most attacks by knowing how the attackers operate. At the moment I have a bunch of them in the same /21 public subnet. They are already getting a lot of attacks, but I want to try to get as many as possible.
1) Do attackers/infected pc's most often scan by Ip address or DNS name? In other words, will I need to register DNS records for them?
2) Do infected computers start scanning random addresses or start with IP's simular to their own public one? In other words, do I need to place my honeypots in different subnets around the world?
I understand having my first "contribution" to this forum be a question is a bit tasteless, but I'm still busy working down the list of 'interesting malware. Once I have RE'ed those I hope I can help with the newer samples.
I'm setting up a honeypot system where all honeypots report to a central system.
The question I have is how to expose them to the most attacks by knowing how the attackers operate. At the moment I have a bunch of them in the same /21 public subnet. They are already getting a lot of attacks, but I want to try to get as many as possible.
1) Do attackers/infected pc's most often scan by Ip address or DNS name? In other words, will I need to register DNS records for them?
2) Do infected computers start scanning random addresses or start with IP's simular to their own public one? In other words, do I need to place my honeypots in different subnets around the world?
I understand having my first "contribution" to this forum be a question is a bit tasteless, but I'm still busy working down the list of 'interesting malware. Once I have RE'ed those I hope I can help with the newer samples.
