Skip to main content
Log in

Internet attacks monitoring with dynamic connection redirection mechanisms

  • SSTIC 2007 Best Academic Papers
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

High-interaction honeypots are interesting as they help understand how attacks unfold on a compromised machine. However, observations are generally limited to the operations performed by the attackers on the honeypot itself. Outgoing malicious activities carried out from the honeypot towards remote machines on the Internet are generally disallowed for legal liability reasons. It is particularly instructive, however, to observe activities initiated from the honeypot in order to monitor attacker behavior across different, possibly compromised remote machines. This paper proposes to this end a dynamic redirection mechanism of connections initiated from the honeypot. This mechanism gives the attacker the illusion of being actually connected to a remote machine whereas he is redirected to another local honeypot. The originality of the proposed redirection mechanism lies in its dynamic aspect: the redirections are made automatically on the fly. This mechanism has been implemented and tested on a Linux kernel. This paper presents the design and the implementation of this mechanism.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Provos, N.: Honeyd—a virtualhoneypot daemon. In: 10th DFN-CERT Workshop, Hamburg, Germany (2003)

  2. Leita, C., Dacier, M., Massicotte, F.: Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. In: RAID 2006, 9th International Symposium on Recent Advances in Intrusion Detection, 20–22 September 2006, Hamburg, Germany. Also published as Lecture Notes in Computer Science, vol. 4219/2006 (2006)

  3. Bailey, M., Cooke, E., Watson, D., Jahanian, F., Provos, N.: A hybrid honeypot architecture for scalable network monitoring. Technical Report CSE-TR-499-04, University of Michigan (2004)

  4. Alata, E., Nicomette, V., Kaâniche, M., Dacier, M., Herrb, M.: Lessons learned from the deployment of a high-interaction honeypot. In: EDCC’06, 6th European Dependable Computing Conference, 18–20 October 2006, Coimbra, Portugal (2006)

  5. Nieh, J., Leonard O.C.: Examining VMware. j-DDJ 25(8):70, 72–74, 76 (2000)

    Google Scholar 

  6. Jiang, D.X.X.: Collapsar: a vm-based architecture for network attack detention center. In: 13th USENIX Security Symposium, San Diego, CA (2004)

  7. Duncombe, D., Mohay, G., Clark, A.: Synapse: auto-correlation and dynamic attack redirection in an immunologically-inspired ids. In: ACSW Frontiers ’06: Proceedings of the 2006 Australasian Workshops on Grid Computing and e-research, pp. 135–144, Darlinghurst, Australia. Australian Computer Society, Inc. (2006)

  8. Napier, D.: IPTables/NetFilter—Linux’s next-generation stateful packet filter. j-SYS-ADMIN 10(12):8, 10, 12, 14, 16 (2001)

  9. Freiling, F., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. Technical Report AIB-2005-07, RWTH Aachen (2005)

  10. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of Internet Measurement Conference 2006 (IMC’06) (2006)

  11. Kristoff, J.: Botnets. In: 32nd Meeting of the North American Network Operators Group (2004)

  12. Bellard, F.: Qemu, a fast and portable dynamic translator, pp. 41–46

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Éric Alata.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Alata, É., Alberdi, I., Nicomette, V. et al. Internet attacks monitoring with dynamic connection redirection mechanisms. J Comput Virol 4, 127–136 (2008). https://doi.org/10.1007/s11416-007-0067-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0067-8

Keywords

Navigation