Research Article
OpenFire: Using Deception to Reduce Network Attacks
@INPROCEEDINGS{10.1109/SECCOM.2007.4550337, author={Kevin Borders and Laura Falk and Atul Prakash}, title={OpenFire: Using Deception to Reduce Network Attacks}, proceedings={3rd International ICST Conference on Security and Privacy in Communication Networks}, publisher={IEEE}, proceedings_a={SECURECOMM}, year={2008}, month={6}, keywords={Computer hacking Computer security Computer worms Filling IP networks Probes Protection Reconnaissance Storage area networks Telecommunication traffic}, doi={10.1109/SECCOM.2007.4550337} }- Kevin Borders
Laura Falk
Atul Prakash
Year: 2008
OpenFire: Using Deception to Reduce Network Attacks
SECURECOMM
IEEE
DOI: 10.1109/SECCOM.2007.4550337
Abstract
Remote network attacks are a serious problem facing network administrators today. OpenFire uses deception to interfere with the reconnaissance phase. Unlike traditional firewalls, instead of blocking unwanted traffic, it accepts all traffic, forwarding unwanted messages to a cluster of decoy machines. To the outside, all ports and all IP addresses appear open in an OpenFire network. OpenFire uses the honeypot concept in its design. However, unlike traditional honeypots, OpenFire attempts to present additional false targets by making it appear to an attacker that all ports, including unused ones, and all unused IP addresses of an organization are open, with the thesis that this will help divert attacks from real services to false services. In our experiments, we defined an attack to be snort’s priority 1 alert. During a 21-day evaluation period, we found that OpenFire reduced the number of attacks on real services by 65% as compared to an unprotected system and by 46% as compared to a Honeypot-protected system. We present OpenFire’s design, its performance, and defenses against some potential attacks.
