Camouflaging Honeypots

Over the past several years, honeynets have proven invaluable for understanding the characteristics of unwanted Internet traffic from misconfigurations and malicious attacks. In this paper, we address the problem of defending honeynets against systematic mapping by malicious parties, so we can ensure that honeynets remain viable in the long term.

Our approach is based on two ideas:
(i) counting the number of probes received in the honeynet, and
(ii) shuffling the location of live systems with those that comprise the honeynet in a larger address space after the probe count has exceeded a threshold.

We describe four different strategies for randomizing the location of the honeynet. Each strategy is defined in terms of the degree of defense that it provides and its associated computational and state requirements.

We implement a prototype middle box that we call Kaleidoscope to gain practical insight on the feasibility of these strategies. Through a series of tests we show that the system is capable of effectively defending honeynets in large networks with limited impact on normal traffic, and that it continues to respond well in the face of large resource attacks.