Honeypot architectures for IPv6 networks

The decrease of available IPv4 addresses and the requirement for new features demands Internet service providers to deploy IPv6 networks. It is not a question of if, but when new network attacks will appear, which target the comparatively new network protocol. Virtual honeypots provide an important tool for the observation of assaults in computer networks. In contrast to intrusion detection systems, honeypots interact with an attacker and therefore allow the creation of fine-grained evaluations of attack sequences. This thesis focuses on honeypot architectures which are specialized in the observation of IPv6 network attacks. A survey of existing honeypot solutions reveals a need for IPv6-specific honeypots with support for large IPv6 address spaces. Long-term observations of two different darknets prove that IPv6 networks are not free of unintended activity. Large-scale network scans search through vast and unforeseeable address ranges to find and explore new IPv6-enabled hosts. This thesis proposes two different honeypot architectures and presents the corresponding prototype implementations, called Honeydv6 and Hyhoneydv6, to overcome the need for IPv6 honeypot solutions. Honeydv6 is a low-interaction honeypot which is able to simulate entire IPv6 networks to efficiently observe network scan approaches and assaults. It extends the well-known low-interaction honeypot solution Honeyd with a custom IPv6 stack and a new dynamic honeypot instantiation mechanism. The utilization of a custom network stack implementation allows Honeydv6 to simulate multiple hosts with different IPv6 addresses on a single host and to observe even low-level IPv6 attacks, such as assaults to the IPv6 fragmentation mechanism. The dynamic instantiation mechanism spawns new low-interaction honeypots on-demand based on attackers’ destinations. This approach allows Honeydv6 to cover large IPv6 address spaces and to respond to attacks that target arbitrary IPv6 address ranges. Low-interaction honeypots only simulate network services up to a certain degree of granularity. For complex attack scenarios where authentic network services are a requirement, lowinteraction honeypots may not suffice and a deployment of high-interaction honeypots becomes necessary. However, the vast IPv6 address space makes classical high-interaction honeypot deployment strategies impossible and new architectural approaches are required. Hyhoneydv6 was designed to efficiently allow the deployment of high-interaction honeypots in IPv6 networks. In contrast to Honeydv6, Hyhoneydv6 is a hybrid honeypot framework which includes a combination of lowand virtual machine-based high-interaction honeypots. Low-interaction honeypots in the Hyhoneydv6 architecture process network scans and attacks to less complex network services. High-interaction honeypots focus on the processing of attacks to complex and proprietary network services. The Hyhoneydv6 architecture includes a newly developed proxy mechanism which allows to transparently forward attackers from lowto high-interaction honeypots. Hyhoneydv6 adapts the dynamic low-interaction honeypot instantiation mechanism of Honeydv6 to dynamically deploy high-interaction honeypots. This includes an on-demand address reconfiguration of high-interaction honeypot instances. The performance measurements of the Honeydv6 and the Hyhoneydv6 prototype implementation show that both architectures do not rely on expensive infrastructures and can be run on off-the-shelf hardware.