SRX

Hi All,

I have an interesting event that occurred.  We have been testing different Vul scanners and noticed that whenever we try to scan the management port of the SRX  the scan gets stuck.  Some of the scanners report that they have run into a "tar pit or Honeypot".  This is great that the SRX is actually detecting the scan and killing it but I did not know this was even a feature.

Is this actually something the SRX is doing and if so why is this not advertised?

If I were a bettin' man... oh who am I kidding, I am...

I'd put my money on "happy accident" moreso than "behavior by design."

Did any of the scanners report why they thought tar pit/honeypot?  Any metrics or statistics that led them to determine such?

One scanner reported a Tar pit, another reported  honeypot, all others just get stuck scanning the SRX.  They basicly get stuck and timeout after a very long time.  Some even eventually report that the SRX is a PBX or some other weird server.  It really does look like its acting a honeypot although I doubt it.

---

@Magraw wrote:

One scanner reported a Tar pit, another reported  honeypot, all others just get stuck scanning the SRX.  They basicly get stuck and timeout after a very long time.  Some even eventually report that the SRX is a PBX or some other weird server.  It really does look like its acting a honeypot although I doubt it.

---

It could just be a certain behavior that the scanner thinks resembles a honeypot... like maybe TCP connections aren't denied but ignored, or maybe the SRX allows the TCP handshake but stops responding after that...

That's why I was curious what specific behavior triggered the scanners to think honeypot / tar pit.  If they were more verbose for something like "honeypot detected, TCP successful handshake but no response" or something like that... 

I suppose you could Wireshark it and watch to see what's happening (what's being sent by your scanner and how the SRX is responding) during the periods where the scanner thinks it's talking to a honeypot...

Ya im sure you are corret Keith.   Just wanted to make sure there was not some cool feature the SRX did that I did not know about.

---

@Magraw wrote:

Ya im sure you are corret Keith.   Just wanted to make sure there was not some cool feature the SRX did that I did not know about.

---

Usually the cool features that the SRX does that we don't know about are the ones that cause us to pull our hair out and scream about unfinished features and buggy code, not the other way around.  LOL!

I can't say I've ever seen that behavior.  The only thing I've run across is false positives triggered by the syn flood screens sending back SYN-ACKs.  Are you using any sort of IPS, AppSecure, screens, policers, or otherwise, to protect the control plane?

The scanners will not get a response from the management port. The Management port does not carry transit traffic.

---

@lyndidon wrote:

The scanners will not get a response from the management port. The Management port does not carry transit traffic.

---

They will if he's scanning the management port as the target from the managment network...

Thank you for that correction.