Thursday, September 10, 2009

WASC ProxyPot Project is LIVE

In case you haven't heard, or have missed the announcement the WASC group has started deploying their Distributed Open Proxy Honeypot project... or the "proxypot". Headed by Ryan Barnett of Breach Security fame, this project seeks to take a sneak peek at the attacks that are happening on real web sites right now, by setting up open proxies for attackers to use in their hacking attempts. The obvious goal is to gather intelligence, and data on hackers' techniques in the wild.

The project is distributing a specially set-up VM which will pose as an open proxy which hackers scour the 'net for, and then log all the traffic and attempted attacks that are sent through that proxy. I love the idea of setting a snare for the "bad guys", so that they might show us some of the latest techniques they're using to attack websites in the real world.

Now, I suspect that this will only catch those attacks and attackers who aren't smart enough to dig into the actual proxy to see what it's doing... but it will still provide valuable insight into actual attack patterns that are being used in the real world. This is valuable information!

Project Overview (from the site)

From a counter-intelligence perspective, standard honeypot/honeynet technologies have not bared much fruit in the way of web attack data. Web-based honeypots have not been as successful as OS level or other honeypot applications (such as SMTP) due to the lack of their perceived value. Deploying an attractive honeypot web site is a complicated, time-consuming task. Other than a Script Kiddie probing for an easy defacement or an indiscriminant worm, you just won't get much traffic.

So the question is - How can we increase our traffic, and thus, our chances of obtaining valuable web attack reconnaissance?

This project will use one of the web attacker's most trusted tools against them - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.

This is one of the more worthy causees for the use of your power and bandwidth... If you're interested, go download and run the VM and help gather intelligence, and of course, they have a Twitter update stream @WASCHoneyPots!

1 comment:

Anonymous said...

I'm having difficulty seeing the value in this. Either your enabling attacks or your prematurely aborting them.

If it's the later (which seems to be the case from the Twitter posts) how are the attackers able to validate the proxies as open before starting an attack?

I would expect it to be entirely automated scan activity in which case IDS/IPS signatures already exist.