A lightweight framework to build honeytanks

Vanderavero, Nicolas

18 December 2007

As the Internet becomes an ubiquitous medium of communication, it carries more and more malicious activities like spam, worms or denial of service attacks. One solution to detect and collect such malicious traffic is to use honeypots. They are devices or pieces of information that are not part of the usual production system. Their goals are to lure the attackers into a trap to study them, divert their attention from another target or collect statistics. In this work, we propose a lightweight framework to build honeytanks, which are very efficient low-interaction honeypots. We present and evaluate techniques and algorithms to simulate the presence of a large number of hosts with various degrees of realism and scalability, from a completely stateless approach to a stateful approach able, amongst other things, to mimic the behavior of various TCP/IP stacks. Our framework is based on ASAX, a generic and lightweight data stream analyzer. We instantiate ASAX to build powerful traffic handlers. We introduce several extensions to ASAX and to RUSSEL, its programming language. These extensions allow us to develop new concurrent programming techniques to simulate hosts and protocols in a simple and modular way. We use a recently optimized version of ASAX that makes it possible to simulate tens of thousands hosts while keeping the simulation at a high level of realism. To show the benefits of our approach, i.e., greater simplicity, flexibility, and independence of other technologies, we compare our honeytanks to Honeyd and Nepenthes, two well-known low-interaction honeypots.

Analyse de trafic

Générateur de trafic

Traffic generator

Honeytank

Security

Traffic analysis

Honeypot

Intrusion detection

Pot de miel

ASAX

Sécurité

Détection d'intrusion