|
|
In this chapter, we showed that there are many ways to fingerprint different honeypots. For low-interaction honeypots like Honeyd, it is possible to closely examine network responses and find logical discrepancies that would never happen with real systems. We have seen similar giveaways with high-interaction honeypots running under VMware or UML. Although many honeypot operators take countermeasures to make their honeypots more difficult to detect, we found that a common detection technique works for all of them. There is no virtual honeypot system that is immune to timing attacks. The main reason behind this fallibility for virtual machines is that they were never designed to be transparent or indistinguishable from a real system. Virtual machines provide only fidelity, performance, and safety, but not transparency. Even with hardware assist, they are going to remain fallible to timing attacks. A similar situation is true for low-interaction honeypots. They usually provide the illusion of multiple systems backed by just one or a few physical systems. Clever network attacks can establish performance dependencies that would never happen with real systems.
We have seen some movements in the underground community to automatically detect honeypots based on these technologies. For example, Agobot refuses to run when it detects VMware. Unfortunately, the moment that a single technique for detecting honeypots has proven reliable, it will be adopted and widely spread to existing toolkits.
Does that mean building virtual honeypot is useless? Not necessarily. In the early days of the Internet, port scans were the background noise of attackers and detected by firewalls. A few years later, vulnerability scanners were in vogue. They were detected by intrusion detection systems. Today, we use honeypots to detect automatic tools exploiting well-known flaws. To capture more interesting activities, we have to look ahead and develop the next generation of honeypots. As always, the arms race continues, and we need to stay ahead of the game!
|
|