3rd International ICST Conference on Security and Privacy in Communication Networks

Research Article

OpenFire: Using Deception to Reduce Network Attacks

  • @INPROCEEDINGS{10.1109/SECCOM.2007.4550337,
        author={Kevin Borders and Laura Falk and Atul Prakash},
        title={OpenFire: Using Deception to Reduce Network Attacks},
        proceedings={3rd International ICST Conference on Security and Privacy in Communication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2008},
        month={6},
        keywords={Computer hacking  Computer security  Computer worms  Filling  IP networks  Probes  Protection  Reconnaissance  Storage area networks  Telecommunication traffic},
        doi={10.1109/SECCOM.2007.4550337}
    }
    
  • Kevin Borders
    Laura Falk
    Atul Prakash
    Year: 2008
    OpenFire: Using Deception to Reduce Network Attacks
    SECURECOMM
    IEEE
    DOI: 10.1109/SECCOM.2007.4550337
Kevin Borders1,*, Laura Falk1,*, Atul Prakash1,*
  • 1: University of Michigan, EECS Department Ann Arbor, MI 48109
*Contact email: kborders@eecs.umich.edu, laura@eecs.umich.edu, aprakash@eecs.umich.edu

Abstract

Remote network attacks are a serious problem facing network administrators today. OpenFire uses deception to interfere with the reconnaissance phase. Unlike traditional firewalls, instead of blocking unwanted traffic, it accepts all traffic, forwarding unwanted messages to a cluster of decoy machines. To the outside, all ports and all IP addresses appear open in an OpenFire network. OpenFire uses the honeypot concept in its design. However, unlike traditional honeypots, OpenFire attempts to present additional false targets by making it appear to an attacker that all ports, including unused ones, and all unused IP addresses of an organization are open, with the thesis that this will help divert attacks from real services to false services. In our experiments, we defined an attack to be snort’s priority 1 alert. During a 21-day evaluation period, we found that OpenFire reduced the number of attacks on real services by 65% as compared to an unprotected system and by 46% as compared to a Honeypot-protected system. We present OpenFire’s design, its performance, and defenses against some potential attacks.