Honeyd/Networking

From C4 Wiki
Revision as of 00:27, 19 October 2004 by Mario Manno (talk | contribs) (added category)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Honeyd Networking on Linux

Normaly, i.e. on a cisco router, you would just do a

ip route 192.168.0.0 255.255.0.0 192.168.0.1

If i try to add a route to my local subnet the honeynet host answers every ping with an additional icmp redirected package and does not show valid traceroutes.

As far as i understand honeyd arp features they are only intended for mixed networks, meaning networks which contain valid hosts too. In my expirements honeyd arp would not work well with honeynets. The arp daemon excludes the host system from arp faking. This behaviour was disturbing all my efforts to run honeyd on a tap interface and add a route to this interface for the honeynet range.

So i had to do bridging. (why do i always have to do bridging??)

Bridged Setup

My home network is 10.2.2.0/24 The honeynet is 192.168.0.0/24

Router

The router forwards packets to the honeynet machine. In case of a linux router the following worked for me.

ifconfig eth0 down
ifconfig eth1 down
brctl addbr br0                    # Setup bridging
brctl addif br0 eth0               # client network
brctl addif br0 eth1               # honeynet network
ifconfig br0 up
ip a  add 10.2.2.6/24 dev br0      # ip so i can administer the bridge
                                   # is needed so i can set routes (whatever)
ip ro add 10.2.2.0/24 dev br0      # route to local net
ip ro add 192.168.0.0/16 dev br0   # route to honey net

Client

The bridge should take care of packets.

ip a add 10.2.2.10/24 dev eth0
ip ro add default dev eth0

Honeynet

Setup basic networking

ip a add 192.168.0.1/24 dev eth0
ip ro add default dev eth0

This is my honeyd.conf

route entry 192.168.0.1
route 192.168.0.1 add net 192.168.4.0/24 192.168.4.1 latency 7ms loss 0.5
route 192.168.4.1 link 192.168.4.0/24

And the honeyd options

/usr/bin/honeyd -i eth0 192.168.0.0/16

Localhost Setup

The honeynet is 10.0.0.0/8

Router

ip ro add 10.0.0.0/8 dev lo

Honeynet

little change to honeyd for traceroute needed

route entry 10.0.0.1
+route 10.0.0.1 link 10.0.0.0/24

Started via

/usr/bin/honeyd -i lo 10.0.0.0/8