<<< Date Index >>>     <<< Thread Index >>>

honeyd security advisory: remote detection



Honeyd Security Advisory 2006-001
=================================

Topic:    Remote Detection Via Multiple Probe Packets

Version:  All versions prior to Honeyd 1.5

Severity: Identification of Honeyd installations allows an
          adversary to launch attacks specifically against
          Honeyd.  No remote root exploit is currently known.

Details:
=========

Honeyd is a virtual honeypot daemon that can simulate virtual hosts on
unallocated IP addresses.

A bug in the IP reassembly codes causes Honeyd to reply to illegal
fragments that other implementations would silently drop.  Watching
for replies, it is possible to detect IP addresses simulated by
Honeyd.

Solutions:
==========

A new version of Honeyd has been released to address this issue.
The source code for Honeyd 1.5 can downloaded from

  http://www.citi.umich.edu/u/provos/honeyd/

It is suggested to run Honeyd in a chroot environment under a sandbox
like Systrace.

Existing installations can be fixed with the following patch

  http://www.honeyd.org/adv.2006-01.patch

Thanks To
=========

Jon Oberheide for finding the problem and providing a fix to avoid
detection.

More Information:
=================

More information on Honeyd can be found at

  http://www.honeyd.org/