A First Look: Using Linux Containers for Deceptive Honeypots
Server honeypots are static systems, setup to monitor attacks on research and production networks. Static honeypots are unable to represent the dynamic nature of today’s networks where different numbers of hardware devices and hosts running various operating systems are online at a particular time and frequently join and leave a network. A single static server honeypot presents a particular operating system, open ports and hardware type which are associated with a unique address (i.e. IP/MAC address). A static honeypot system is also always present on the network while other hosts leave and join frequently. These properties of static systems can be a revealing indication of presence of a honeypot within a network. Dynamic honeypots overcome the static nature of server honeypots by automatically adjusting the number of hosts, operating systems and running services of honeypots deployed in a network environment, based on the topology of the production network. In this paper a dynamic honeypot design with self-configuring capabilities based on Windows platform is presented with a focus on usability and simplicity in installation, configuration and management. The honeypot can be deployed within production networks without requiring prior knowledge of network topology, hardware, operating systems and associated services and open ports on the network. Dynamic honeypots can lead to popularity and increased adaption of server honeypots with end-users and within production networks. Active and passive fingerprinting techniques utilized in the process of mapping a network and its systems for dynamic honeypot deployments are also evaluated and their accuracy and speed in detection are measured and discussed.