Creation and Integration of Remote High Interaction Honeypots

Abstract

The internet connects an uncountable number of users and their devices, no one has a global overview anymore. This state of constant chaos poses the problem of detecting novel, previously unknown attacks and attackers, and therefore requires creative strategies to detect and study them as early as possible. One approach is the use of honeypots to bait attacks into separate, dedicated systems and study them there. This paper explores the construction of high-interaction honeypots based on Docker containers, both for Windows and Linux operating systems. A core challenge is the transparent integration of honeypots into an existing company's network, although they are located off-site and not directly on a company's premises. We report practical prototyping experiences with Linux and Windows as container hosts for a diverse set of services and the limits we encountered in current software versions as they impede our effort.