Gotta catch ’em all: A Multistage Framework for Honeypot Fingerprinting

Shreyas Srinivasa, Jens Myrup Pedersen, Emmanouil Vasilomanolakis

Research output: Contribution to journalJournal articleResearchpeer-review

45 Downloads (Pure)


Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the past years, several researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state-of-the-art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present several interesting side findings such as the identification of around 355,000 non-honeypot systems that represent potentially misconfigured or unpatched vulnerable servers (e.g., SSH servers with default password configurations and vulnerable versions). We ethically disclose our findings to network administrators about the default configuration and the honeypot developers about the gaps in implementation that lead to possible honeypot fingerprinting. Last, we discuss countermeasures against honeypot fingerprinting techniques.

Original languageEnglish
Article number42
JournalACM Digital Threats: Research and Practice
Issue number3
Pages (from-to)1-28
Number of pages28
Publication statusPublished - Oct 2023


  • Additional Key Words and PhrasesHoneypots
  • fingerprinting
  • honeypot attacks
  • honeypot detection
  • honeypot evasion


Dive into the research topics of 'Gotta catch ’em all: A Multistage Framework for Honeypot Fingerprinting'. Together they form a unique fingerprint.

Cite this