Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
● "Artificial" attack surface
● Limited information about the attacks
● Easily identified
● High risk
Robin Berthier, 2006: Advanced honeypot architecture for network threats
Primarily use the Low
interaction honeypot and
utilize a High interaction
honeypot when something
"interesting" is happening.
How do you define
● Fidelity via Virtual Machine Introspection
● Scalability via Virtual Machine Cloning
○ QEMU copy-on-write disk
○ Xen copy-on-write RAM
Issues: clone routing
Clones share IP and MAC address!
○ Post-cloning in-guest network reconfiguration should
○ Separate bridge/VLAN required for each clone to
○ Honeybrid requires extra setup (iptables rules,
routing tables & ip marks) to be able to route clones
6207 attack sessions on clone HIHs in two
weeks (single IP address)
Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)
Projected memory savings via CoW RAM
Windows XP SP3 x86 Windows 7 SP1 x86
● Clone routing using Open vSwitch &
● Auto-balloon number of HIHs
● Mix Linux and Windows HIHs with additional
software packages installed
● Test large-scale deployment (/24)
● Zazen IDS!