Attracting Hackers

		Chapter 2 - A Honeypot Deployment Plan Honeypots for Windows by Roger A. Grimes Apress 2005

What should new honeypot administrators do to attract hackers to their honeypot? The short answer is to do nothing. As in the movie Field of Dreams, if you set up a honeypot, hackers will come to it.

If you expose your honeypot in such a way that the IP address of the honeypot and its ports are reachable from the Internet, it won’t be long before it is visited. The average public IP address on the Internet is probed dozens of times a day. The published statistics from many honeypot projects show more than a hundred probes a day, and most host compromises occur in under a week. Internet worm scans happen several times a day. Many honeypot administrators have recorded successful compromises occurring in less than 20 minutes.

Some impatient honeypot administrators have actively posted their honeypot’s location to hacker mailing lists and web sites, in order to jumpstart the process. Most legal authorities agree this is akin to entrapment, which is a defense that an arrested party can use to avoid conviction. This means that if those administrators who posted the location of their honeypot discovered some serious crime going on because of their honeypot, they might not be able to use the evidence collected against the hacker.

Of course, internal and production honeypots should never actively advertise their presence or invite hackers. It would defeat the main purpose of having the honeypot in the first place.

With the underlying honeypot design tenets in mind, now is the time to start defining the goals of your honeypot system.