How Honeyd Works

When an IP address of a nonexistent system is attacked, Honeyd assumes the identity of the victim and interacts with the attacker. It does not do this by assigning thousands of IP addresses to itself at once. Instead, Honeyd has only one IP address: the IP address assigned to its single interface. This is the same interface that you use to administer the honeypot. It is this same interface that resides on the network and monitors for suspicious activity.

Honeyd works on the principle that when it receives a probe or a connection for a system that does not exist, it assumes that the connection attempt is hostile, most likely a probe, scan, or attack. When Honeyd receives such traffic, it assumes the IP address of the intended ...

Get Honeypots: Tracking Hackers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.