Honeypots mailing list archives
Fingerprinting Virtual Honeynets
From: "Eric Junker" <junker () iastate edu>
Date: Wed, 26 Feb 2003 15:41:45 -0600
I am doing research on the use of virtual honeynets and ways to prevent them from being fingerprinted. I have read Kurt Seifried's paper which discusses identifying Vmware systems and I have also read up on UML and skas mode. All of the fingerprinting methods that I have seen require that the attacker log into the system. Are there any ways for an attacker to remotely detect a virtual honeynet running Vmware or UML? I have some possible ideas such as doing a timing analysis on the traffic to detect that one physical network interface card is handling traffic for many virtual machines. Or possibly playing around with ARP to detect the multiple virtual machines using the same physical NIC. Another idea I had was to use some of the techniques used to identify promiscuous nodes. In summary, are there any ways to remotely identify a virtual honeynet? Thanks, Eric Junker
Current thread:
- Fingerprinting Virtual Honeynets Eric Junker (Feb 27)
- Re: Fingerprinting Virtual Honeynets Rob McMillen (Feb 27)