Dressed up: Baiting attackers through endpoint service projection

Abstract

Honeypots have been widely employed to track attackers’ activities and divert potential threats against real assets. A critical challenge of honeypot research is how to better integrate deceptive honeypots as part of an overall production network. Conventional honeypots are typically deployed as separate assets near those they are protecting—they are not in the direct line of fire. Such a setup does not effectively protect real assets since attackers do not require a full network scan to identify certain production hosts. In this paper, we present a novel framework to transparently project vulnerable honey services atop real production systems without interfering the production system. The key idea is to use SDN technology to divide a production network into segments of production and decoy servers. Traffic intended for production workloads is redirected to decoys based on port or service information. The decoy servers run “vulnerable” services that are heavily monitored. From the attackers’ perspective, these vulnerable services run on production systems, but traffic is instead relayed to a honeypot with the same configuration (e.g., IP address, MAC address, running services) of the protected production system. In this way, our approach capitalizes on capturing attacks before they reach protected assets. We demonstrate its feasibility with a prototype implementation and practical deployment model. Evaluation shows that our approach incurs negligible overhead and resists potential side channel fingerprinting attacks.