Description
Honeypots play an important role in internet security and
intrusion detection and derive their benefits through their
ability to blend in with genuine systems. With recent research
showing significant deficiencies in existing open-source
honeypot solutions for Microsoft's Remote Desktop Protocol in
terms of detectability, the need for a new, more stealthy
approach is apparent. We thus developed a novel approach that is
not designed as a man-in-the-middle but implemented directly on
the target system and compared it to two existing solutions by
deploying multiple servers in the cloud and evaluating the
captured data. To realize this new approach, we reversed
relevant parts of Microsoft's Remote Desktop Services on an
off-the-shelf Windows Server system and hooked relevant
functions extracting information about running RDP sessions. 33
days and more than 2.8 million connection attempts later, the
results indicate that only one honeypot separated itself from
the other solutions by receiving 89% less traffic than the other
honeypots. Our approach seemed to be on par with the remaining
solution regarding the number of connections and attackers,
which we attribute to the lack of interest or knowledge to
detect the reference honeypot by a considerable share of the
attackers.
|
