Gotta catch 'em all: a Multistage Framework for honeypot fingerprinting
This work addresses the challenge of accurately detecting honeypots to help attackers evade them, which is incremental as it builds on existing fingerprinting methods with a holistic approach.
The authors tackled the problem of honeypot fingerprinting by developing a multistage framework that reduces false positives and identified 21,855 honeypot instances through scans of 2.9 billion IPv4 addresses.
Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the last years, a number of researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state of the art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present a number of interesting side-findings such as the identification of more than 354,431 non-honeypot systems that represent potentially vulnerable servers (e.g. SSH servers with default password configurations and vulnerable versions). Lastly, we discuss countermeasures against honeypot fingerprinting techniques.