The Honeynet Project were asked to present at the 20th FIRST conference in Vancouver last week, as part of their Network Monitoring Special Interest Group on Fast Flux Service Networks. We set up a two hour session broken down into three equal sections:
- An introduction to the basic mechanics of fast flux (David Watson, UKHP)
- Current ATLAS fast flux statistics (Jose Nazario, Arbor)
- Detection and mitigation (Christian Gorecki, University of Mannheim)
The NM-SG session was open to FIRST members only, so the slides are not publicly available, but we hope to have a public release of similar material shortly. We had a number of questions, and feedback from the attendees seems to have been positive.
There were three additional short demos:
- Florian Weimer of RUS-CERT showed some new passive DNS tracking information
- Tillmann Werner from the German Giraffe Honeynet Project Chapter demonstrated how Honeytrap, LibEmu and Nebula can be used to analyze unknown attacks, which is looking very promising as a long term replacement for Nepenthes
- Piotr Kijewski of the Polish CERT/NASK gave a brief demonstration of their still under development HoneySpider web interface, which shares many of the features of client honeypot systems that we are currently working on but instead uses Java and Rhino instead of Python and SpiderMonkey
Overall it was an interesting event, with some good talks and lot of opportunities to meet up with a different group of people very active in the security operations and incident response fields. Quiet a few Honeynet Project members were also present, which always encourages a little extra R&D discussion. Hopefully we’ll see some spin off activity in the coming weeks.
Many thanks to Carol Overes from GovCERT in Holland for the invite.