I don't know if this has ever been thought of before. I got the idea a few weeks ago to make a decoy computer from hackers and today I learned exactly how to do it. The idea is to forward pings and certain ports on your computer to a decoy on your local area network. That way hackers think they're getting into your computer but they're really getting into a trash computer that you just set up as a decoy. And for when they do get on the decoy computer, you firewall yourself completely from that decoy computer. I'm sure some people could break through it but as complex as it is, it has to be confusing as hell. I have already tried this with ICMP packets and it seemed to work just as I had hoped. Of course I'd have to attach the decoy through a seperate card on the gateway so that it would have to go through a secure Linux machine before getting to the other Windows machines. Is this a nice and secure idea or is there something I've completely overlooked?

Umm... I think the concept you speak of has been around for a while -- commonly known as a 'honeypot'

Pretty cool that you figured it out on your own, though.

Monte

If you are planning to set one up, then I wouldn't mind hearing about it in a 'How I did it'. :)

I think it might be especially amusing if you were to somehow set up www.fbi.gov (http://www.fbi.gov) to be your honeypot.

While I'd be willing to bet that the average script kiddie could inflict very little damage on that honeypot, the benefit to all would be that your 'Leet HaXors' are likely to be removed from circulation rather rapidly, and we can all breathe a sigh of relief as another destructive 14-year-old is stripped of his cable modem.

(No offense to you 14-year-olds who *aren't* destructive; the Internet needs more of you.)

And finally, while I think it might be amusing and somehow poetic to do it, I wouldn't recommend attempting it, and I expect that if the FBI is reading, they'll have enough sense of humor to know that I'm kidding.

[ 19 April 2001: Message edited by: BigBlockMopar ]

milanuk: Yeah, the idea just popped in my head one day. It seems like a good idea. I had never thought of forwarding it to a site on the internet though.

mdwatts: You just want to hack me.

BigBlockMopar: Ha ha, that would be so cool.

mdwatts: You just want to hack me

Wouldn't know where to start and even if I did, I would not use the knowledge for anything mischievous. And that's the truth.

Just sounded interesting...

Well I was joking. I probably would post it up if I ever got around to doing it. I think it's an interesting idea.

Setting up a honeypot is neat, but the real interesting thing is the post-mortem. You need The Coroner's Toolkit (http://www.porcupine.org/forensics/tct.html) if you actually catch a cracker.

forwarding to www.fbi.gov (http://www.fbi.gov) would be no good. their logs would show your ip not theres.

the way forwarding works is it takes all input from that connect and sends it to another connection. not send some data that says "go over there not here" as far as i know there is no way to send a packet like that with tcp (icmp has something along those lines i belive)

what i've thought of doing is puting a daemon up that looks like say the exploitable bind and having it accept the exploit then pretend to be a root shell. but really is just a smart script

then i could log all that.

and have no /real/ files.
like (i'd do this in perl cause it's the best...) have a hash that has bin boot var root home etc etc. (only 1 etc the second means along those lines...) then have each of those a hash too. like a linked list.
then mkdir adds there. maybe have a fake ftp and wget and lynx -source (normal lynx would be too hard) that sleep 10 and then add an entry for the file. but have it blank.

i dunno
-out-

It would show their IP as the source address. I'm sure it would show my IP in the routing info though which is why I don't plan on doing it. The main idea was to forward it to another computer at my house. I've threatened my friend that I'm going to forward NetBIOS stuff to his computer, heh heh.

Here's a really funny idea.

Use iptables, and edit your firewall to MIRROR instead of DROPing.

The MIRROR action reflects a packet back to its original source -- therefore, if somebody portscans you, and all your ports are MIRRORed, they'll be portscanning themself!

[i]D00d, this guy has the same root password I do! I'm going to fsck up his boX!!![/i}

Actually Craig I already have it set to mirror. It only mirrors syn packets though so they couldn't actually connect to themself. I figured someone trying to hack me probably wouldn't have major ports open anyway, but I think I'm gonna mirror certain ports anyway.

The problem with the MIRROR target in
iptables is that if the person knows anything
about iptables firewalls then he could certainly
use this knowledge to set up a denial of service
attack on you. Or he could send you packets
with a spoofed ipaddress so that in effect
you will be sending packets to someone else
and pissing them off.

You may get into some serious trouble if you
try doing something like this. I don't know,
I thought it sounded tricky initially also but
after thinking it through a few extra steps I
decided to give Mirroring a miss.

Well you can always limit how much is mirrored per second or minute. I don't think I need to worry about a denial of service. I don't see it hurting me much.