Sometime ago, I presented an ASP.Net Security Skeleteton session at Microsoft TechDays. The concept was simple, build a base layer that can aid in the defence and forensics gathering of an ASP.Net WebSite whether it was WebForms or MVC.
An interesting element that was in the security skeletons layer as a HoneyPot Module. This element would utilise a module to verify IP Addresses against malicious behavior.
Think of a HoneyPot as a boobytrap.
You create a fake login page that is not acceccible by normal means except a scan and presto you know someone is up to something. Same goes for ports, fake robot file entries.
These ip addresses are sent to a centralized repository and you can analyse your inbound requests for the IP and compare against their list.
Now in order to do so one has to be efficient, you would want to either send a payload or verify against a cache. Either or is possible with different vendors/free implementations but in the end you want to check if an IP has been flagged as malicious.
Here are just a few of the IP Direcories available.
Directory of Harvester IPs
Directory of Spam Server IPs
Directory of Dictionary Attacker IPs
Directory of Comment Spammer IPs
In ASP.Net I like to use handlers whether message handlers or htphandlers to
- Verify for excessive request
- Verify my blacklist
- Verify a honeypot
- ….so on and so forth
However throughout the years I have come to realise that tooling such as ModSecurity has HoneyPot integration built in. When no IDS is available I use a security related base layer but when I can utilise an IDS I rather go that route as it can secure an entire stack.
The service that Project HoneyPot offers is this:
The HTTP Blacklist, or “http:BL”, is a system that allows website administrators to take advantage of the data generated by Project Honey Pot in order to keep suspicious and malicious web robots off their sites. Project Honey Pot tracks harvesters, comment spammers, and other suspicious visitors to websites. Http:BL makes this data available to any member of Project Honey Pot in an easy and efficient way.
Http:BL provides data back about the IP addresses of visitors to your website. Data is exchanged over the DNS system. You may query your local DNS server and receive a response back that indicates the type of visitor to your site, how threatening that visitor is, and how long it has been since the visitor has last been seen within the Project Honey Pot trap network.
Several software authors have written implementations for a variety of web platforms. If you would like to integrate with http:BL, check out the http:BL API document.