Honeyd Security Advisory 2006-001

Topic: Remote Detection Via Multiple Probe Packets

Version: All versions prior to Honeyd 1.5

Severity: Identification of Honeyd installations allows an
adversary to launch attacks specifically against
Honeyd. No remote root exploit is currently known.

Details:

Honeyd is a virtual honeypot daemon that can simulate virtual hosts on
unallocated IP addresses.

A bug in the IP reassembly codes causes Honeyd to reply to illegal
fragments that other implementations would silently drop. Watching
for replies, it is possible to detect IP addresses simulated by
Honeyd.

Solutions:

A new version of Honeyd has been released to address this issue.
The source code for Honeyd 1.5 can downloaded from

http://www.citi.umich.edu/u/provos/honeyd/

It is suggested to run Honeyd in a chroot environment under a sandbox
like Systrace.

Existing installations can be fixed with the following patch

http://www.honeyd.org/adv.2006-01.patch

Thanks To

Jon Oberheide for finding the problem and providing a fix to avoid
detection.

More Information:

More information on Honeyd can be found at

http://www.honeyd.org/