"Fingers" of honeypots

Some families of malware use specific commands to calculate traps that are not fully emulated by honeypots. Attackers are constantly changing their fingerprint analysis methods to bypass virtual machine detection protection technologies. These technologies allow you to detect when attackers are checking for a honeypot and return fake data to trick them into thinking the trap is the real system. For example, one malware family reads the contents of /proc/cpuinfo to determine the type and family of the processor: most Cowrie solutions use the same processor architecture.

Work under high loads

Opening access to a popular port (for example, 21.22.23.80) from the Internet will almost immediately lead to connection attempts from various hosts, and the longer the port is left open, the more bots will try to infect the service. For a static IP address running the same service for over twelve months, the infection rate (the number of sessions trying to install malware on the honeypot host) was about 4,000 in 15 minutes. Attacking IP addresses are not unique and we have observed that a single attacker tries to infect a machine many times.

A large number of connections places a significant load on both the network and the trap emulation stacks. In our experience, Cowrie can handle 10,000 sessions at once on a single honeypot. For heavily loaded systems, load balancing across multiple Docker containers at the kernel level can be a solution, which is easily implemented using the netfilter module built into the kernel.