Abstract
Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the past years, several researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state-of-the-art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present several interesting side findings such as the identification of around 355,000 non-honeypot systems that represent potentially misconfigured or unpatched vulnerable servers (e.g., SSH servers with default password configurations and vulnerable versions). We ethically disclose our findings to network administrators about the default configuration and the honeypot developers about the gaps in implementation that lead to possible honeypot fingerprinting. Last, we discuss countermeasures against honeypot fingerprinting techniques.
| Original language | English |
|---|---|
| Article number | 42 |
| Journal | ACM Digital Threats: Research and Practice |
| Volume | 4 |
| Issue number | 3 |
| Pages (from-to) | 1-28 |
| Number of pages | 28 |
| ISSN | 2692-1626 |
| DOIs | |
| Publication status | Published - Oct 2023 |
Keywords
- Additional Key Words and PhrasesHoneypots
- fingerprinting
- honeypot attacks
- honeypot detection
- honeypot evasion