- So you say 'hackers' are constantly knocking on the perimeter door to your network.
- You claim that they are trying to 'map' your network.
- You insist that they will cherry pick targets based on fingerprint data, wins/dns name, or other factors.
Proposition:
- Fill up a virtual machine host with hundreds to thousands of fake hosts that each have random fingerprint appearance and different name. They don't need to do anything except listen on a few ports (on a set of believable ports, to mimic a real OS), and maybe send a fake packet or two around (you know, like M$ boxes like to do because they get lonely.) A full blown app like vmware is overkill for this purpose. A perl script on five tiny embedded systems would suffice.
Just think of the possibilities.
- Each would dilute any reconnaissance tool with bogus hosts
- Each is indistinguishable from real hosts without attempting to check the function of each service for each address.
- Each could also be setup to send alerts to your InfoSec dept when anyone attempts to connect to them; (only two categories of connectors: 1) misconfigured friendlies, and 2) bad guys.)
- Every second the scanner spends poking around in these fake hosts, your real ones aren't touched.
- You can brag about how many 'hosts' are on the network you manage.
- If 'fancy' is your middle name, you could write a script that would forward connection attempts to a honeypot and attempt to grab a fresh piece of badware.
Thoughts?
P.S. I admit I partly stole this idea from Tom Liston's LaBrea tarpit.
Brilliantly devious. Me and my 2048-node apartment are in favor of your proposal.
ReplyDelete