Fingerprinting Virtual Honeynets

["Eric Junker" <junker () iastate edu>]

I am doing research on the use of virtual honeynets and ways to prevent
them from being fingerprinted. I have read Kurt Seifried's paper which
discusses identifying Vmware systems and I have also read up on UML and
skas mode. All of the fingerprinting methods that I have seen require
that the attacker log into the system. Are there any ways for an
attacker to remotely detect a virtual honeynet running Vmware or UML?  I
have some possible ideas such as doing a timing analysis on the traffic
to detect that one physical network interface card is handling traffic
for many virtual machines. Or possibly playing around with ARP to detect
the multiple virtual machines using the same physical NIC. Another idea
I had was to use some of the techniques used to identify promiscuous
nodes. In summary, are there any ways to remotely identify a virtual
honeynet?

Thanks,
Eric Junker