Honeyd Detection via Packet Fragmentation
نویسندگان
چکیده
In this paper we describe a serious flaw in a popular honeypot software suite that allows an attacker to easily identify the presence and scope of a deployed honeypot. We describe in detail both the flaw and how it can be used by an attacker. Our technique relies on a set of specially crafted packets which are able to elicit a response from a Honeyd-based honeypot. Simple experiments show that this method is extremely accurate and effective in detecting the presence and the scope of a Honeyd deployment. Moreover, due to the low level of effort and bandwidth required, it is possible to perform honeypot reconnaissance easily prior to launching a malicious attack on a network, even for large address spaces. We also discuss a simple fix for this flaw as well as other factors that can affect the effectiveness of our approach.
منابع مشابه
Blackhat fingerprinting of the wired and wireless honeynet
TCP/IP fingerprinting is a common technique used to detect unique network stack characteristics of an Operating System (OS). Its usage for network compromise is renowned for performing host discovery and in aiding the blackhat to determine a tailored exploit of detected OSs. The honeyd honeynet is able to countermeasure blackhats utilising TCP/IP fingerprinting via host device emulation on a vi...
متن کاملHoneypot through Web (Honeyd@WEB): The Emerging of Security Application Integration
This paper discusses on the development of the Honeyd@WEB. Honeyd@WEB is a system that can deploy low-interaction, production, dynamic and manageable virtual honeypots via a web interface. It runs open source programs, such as P0f (a passive fingerprinting tool) and Honeyd (a low-interaction honeypot). Honeyd@WEB can automatically determine; how many honeypots to deploy, how to deploy them, and...
متن کاملHoneyd: A Virtual Honeypot Daemon
Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot. Deploying physical honeypots is often time intensive and expensive as different oper...
متن کاملImproving honeyd for automatic generation of attack signatures
In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffi...
متن کاملAn Analysis of Packet Fragmentation Attacks vs. Snort Intrusion Detection System
When Internet Protocol (IP) packets travel across networks, they must meet size requirements defined in the network’s Maximum Transmission Unit (MTU). If the packet is larger than the defined MTU, then it must be divided into smaller pieces, which are known as fragments. Attackers can exploit this process for their own purposes by attacking the systems. Packet fragmentation attacks have caused ...
متن کامل