Gotta catch ’em all: a Multistage Framework for honeypot fingerprinting

Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well method for learning how adversaries work and think. However, over the last years number of researchers have shown methods fingerprinting honeypots. This significantly decreases value honeypot; if attacker is able to recognize existence such system, they can evade it. In this article, we revisit honeypot identification field, providing holistic framework includes state art novel components. We decrease probability false positives proposing rigid multi-step approach labeling system honeypot. perform extensive scans covering 2.9 billion addresses IPv4 space identify total 21,855 instances. Moreover, present interesting side-findings around 355,000 non-honeypot represent potentially misconfigured or unpatched servers (e.g. SSH default password configurations versions). ethically disclose our findings network administrators about configuration developers gaps in implementation lead possible fingerprinting. Lastly, discuss countermeasures against techniques.