21C3 Schedule Release 1.1.7

21st Chaos Communication Congress
Lectures and workshops

Picture of Thorsten Holz Thorsten Holz
Day 2
Location Saal 2
Start Time 21:00 h
Duration 01:00
ID 109
Type Lecture
Track Hacking
Language english

Anti-Honeypot Technology

Current Honeypot-based tools have a huge disadvantage: Attackers can detect honeypots with simple techniques and are to some extent also able to circumvent and disable the logging mechanisms. On the basis of some examples, we will show methods for attackers to play with honeypots.

Honeypots / Honeynets are one of the more recent toys in the white-hat arsenal. These tools are usually assumed to be hard to detect and attempts to detect or disable them can be unconditionally monitored. The talk sheds some light on how attackers usually behave when they want to defeat honeypots. We will encompass the process of identifying and circumventing current honeypot technology and demonstrate several ways to achieve this. The focus will be on Sebek-based honeypots, but we will also show some ways how to accomplish similar results on different honeypot-architectures.

Upon completion of this lecture, the attendees will have some insight in the limitations of current honeypot technology. Individuals or organization that would like to setup or harden their own lines of deception-based defense with the help of honeypots will see some constraints on the reliability and stealthiness of honeypots. On the other side, people with more offensive mindsets will get several ideas on how to identify and exploit honeypots.