Honeypots are decoy systems that lure attackers by presenting them with a
seemingly vulnerable system. They provide an early detection mechanism as well
as a method for learning how adversaries work and think. However, over the last
years, a number of researchers have shown methods for fingerprinting honeypots.
This significantly decreases the value of a honeypot; if an attacker is able to
recognize the existence of such a system, they can evade it. In this article,
we revisit the honeypot identification field, by providing a holistic framework
that includes state of the art and novel fingerprinting components. We decrease
the probability of false positives by proposing a rigid multi-step approach for
labeling a system as a honeypot. We perform extensive scans covering 2.9
billion addresses of the IPv4 space and identify a total of 21,855 honeypot
instances. Moreover, we present a number of interesting side-findings such as
the identification of more than 354,431 non-honeypot systems that represent
potentially vulnerable servers (e.g. SSH servers with default password
configurations and vulnerable versions). Lastly, we discuss countermeasures
against honeypot fingerprinting techniques.

By admin