[WEB SECURITY] WASC Distributed Open Proxy Honeypot Project - Call for Participants

Ryan Barnett rcbarnett at gmail.com
Wed Jun 22 11:39:47 EDT 2005


Greetings Everyone,
I am the WASC Distributed Open Proxy Honeypot Project Leader and I am
sending this email to the list seeking participants in this project. 
Specifically, we are looking for people who would be willing to
host/deploy one of the honeypot systems on their networks.  You can
refer the to the following documents if you have questions concerning
risk/configurations associated with
running the proxy -

- WASC website for the project homepage info 
http://www.webappsec.org/projects/honeypots/

- Apache Open Proxy Honeypot document for GenI configurations
http://honeypots.sourceforge.net/open_proxy_honeypots.pdf

- SANS/GIAC Certified Intrusion Analyst Practical Assignment on Open
Proxy Honeypots -
http://www.giac.org/certified_professionals/practicals/gcia/0750.php

- The Honeynet Project Scan of the Month Challenges - 31
http://www.honeynet.org/scans/scan31/

Project Goal -
The goal that we are trying to achieve with this project is to gather
web attack data from people/applications that are utilizing open proxy
servers for obfuscation purposes.  We will deploy multiple open proxy
honeypot servers that are specially configured using Apache and
various security tools (Mod_Security, Mod_Dosevasive, Snort, etc...)
to capture all activity and forward it back to a central logging host.

Deployment Scenarios
-----------------------------

I. High Speed Home Networks:  We need to identify network locations
were we can deploy the honeypots.

-----------------------
· Project Members may deploy our honeypot proxy systems on their home
networks if they have high speed connections – cable modems, etc…
· Caveats – some ISP's may block certain traffic (Ports 80, 6667,
etc…)  Also need to verify acceptable use policies.  During GenI
deployment on Comcast network, there were no problems.  GenII
deployment will include Cox network and they block inbound HTTP
requests - http://usercenter.cox.net/sdckb/safety/blocked_ports.htm

The requirements that I see for deploying one of the honeypot systems are:

1) An Internet routeable/accessible IP address.
2) Internet access to the following Proxy ports - 80, 443, 3128, 8000 and 8080.
3) Sending log data to our central log host in real-time.

If you can think of any more requirements for hosting the proxy,
please let me know.

II. Global Positioning:
-----------------------
We need to deploy systems in countries other than US.  This may
include home users in other countries.  

III. Universities/Research Facilities:
-----------------------
We may be able to deploy these systems with help from Universities and
other research facilities.  I have some POCs at universities that are
already running honeynets.

The current plan is to create VMware linux images that are
preconfigured with the appropriate applications and configurations. 
This will allow participants to download the VMware images and easily
start them up with a version of VMware and be off and running.  An
alternative is that I will post the WASC honeypot build document on
the project web site.  This will allow participants to build their own
version of the honeypot and then simply point their logging tools to
our central log host for analysis.

Please let me know if you would like to participate with hosting a
honeypot proxy or if you know of a POC that would be willing to host
one.

Thank you all for your time.

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC


More information about the websecurity mailing list