Gotta catch ’em all: a Multistage Framework for honeypot fingerprinting

Shreyas Srinivasa, Jens Myrup Pedersen, Emmanouil Vasilomanolakis

Research output: Contribution to journalJournal articleResearchpeer-review

47 Downloads (Pure)

Abstract

Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the last years a number of researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state of the art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present a number of interesting side-findings such as the identification of around 355,000 non-honeypot systems that represent potentially misconfigured or unpatched vulnerable servers (e.g. SSH servers with default password configurations and vulnerable versions). We ethically disclose our findings to network administrators about the default configuration and the honeypot developers about the gaps in implementation that lead to possible honeypot fingerprinting. Lastly, we discuss countermeasures against honeypot fingerprinting techniques.
Original languageEnglish
Article number24
JournalDigital Threats: Research and Practice
Volume4
Issue number3
Number of pages28
ISSN2576-5337
DOIs
Publication statusPublished - 2023

Keywords

  • Honeypots
  • Fngerprinting
  • Honeypot attacks
  • Honeypot detection
  • Honeypot evasion

Fingerprint

Dive into the research topics of 'Gotta catch ’em all: a Multistage Framework for honeypot fingerprinting'. Together they form a unique fingerprint.

Cite this