The future of the proxypots
What the use of the proxypot model allows the project to observe are the source IP addresses being used by attackers running over its sensors, along with the nature of their threats and their targets.
For instance, out of the 8.9 million questionable transactions carried out over the group's servers in October, when the sensor network was last running at full bore, 2.6 million of the requests were related to advertising click fraud, the leading type of threat observed in the firewalls' logs.
Further investigation of the results would allow WASC to figure exactly which sites were being pumped-up by those automated traffic hoarders and inform any companies involved of the illegal activity, Barnett said.
For the record, more than three quarters of the traffic moving over the proxypots fails to trigger any of the firewall rules, meaning that it is either benign or unidentifiable as malware.
While the WASC honeypot project could eventually be used to snuff out some malware sources or block the threats themselves, for now, the idea is to create an early warning system to help the security industry respond to emerging attacks.
Along with finding more bodies to throw at analysis of its findings, the project is also considering how it will continue to move forward in relation to the matter of allowing its proxypots to be used to carry out actual attacks.
Thus far, participants in the program have been sending spoofed information back to the attackers channeling traffic over their proxies to fool them into thinking that their campaigns are working and prevent detection of the honeypots.
However, some researchers involved with the program have been asking to allow traffic to pass over their systems unrestricted under the belief that it would be the best way to screen for the newest and smartest threats.
In most cases, project participants will need to defer to local laws governing their level of liability for allowing nefarious traffic flow over their servers if they decide to run wide open, said Barnett. Figuring out exactly how to tackle the issue is one of the WASC honeypot's other major goals in advancing its status during 2008.
"We're trying to regroup and figure out how to best address everything in the next twelve months, enough people are asking about the alternative of not blocking malicious traffic that it has become a question we seriously need to consider," said Barnett. "There are legal issues to study if we want to let real attack run through us, it could still happen anyways -- people can always get around rules, so, there is definitely still some risk involved."