|
|
|
|
|
|
by altairprime
543 days ago
|
|
|
Simply reacting with “>5% of honeypot IPs have issued an ARP response” would be a valuable alert about a network scan in progress, no matter how long the delay between addresses pinged. The point isn’t to make the network inscrutable, it’s to make it much more risky to scan at all. That the ARP is delayed to the third attempt is interesting but presumably tunable based on whatever the reactivity thresholds for the customer are. |
|
|