Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

honeypots logo Honeypots mailing list archives

honeyd security advisory: remote detection
From: Niels Provos <provos () citi umich edu>
Date: Sat, 11 Feb 2006 20:03:58 -0800
Honeyd Security Advisory 2006-001
=================================

Topic:    Remote Detection Via Multiple Probe Packets

Version:  All versions prior to Honeyd 1.5

Severity: Identification of Honeyd installations allows an
          adversary to launch attacks specifically against
          Honeyd.  No remote root exploit is currently known.

Details:
=========

Honeyd is a virtual honeypot daemon that can simulate virtual hosts on
unallocated IP addresses.

A bug in the IP reassembly codes causes Honeyd to reply to illegal
fragments that other implementations would silently drop.  Watching
for replies, it is possible to detect IP addresses simulated by
Honeyd.

Solutions:
==========

A new version of Honeyd has been released to address this issue.
The source code for Honeyd 1.5 can downloaded from

  http://www.citi.umich.edu/u/provos/honeyd/

It is suggested to run Honeyd in a chroot environment under a sandbox
like Systrace.

Existing installations can be fixed with the following patch

  http://www.honeyd.org/adv.2006-01.patch

Thanks To
=========

Jon Oberheide for finding the problem and providing a fix to avoid
detection.

More Information:
=================

More information on Honeyd can be found at

  http://www.honeyd.org/

  By Date           By Thread  

Current thread:
  • honeyd security advisory: remote detection Niels Provos (Feb 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]