OpenFire: Using deception to reduce network attacks

Remote network attacks are a serious problem facing network administrators today. OpenFire uses deception to interfere with the reconnaissance phase. Unlike traditional firewalls, instead of blocking unwanted traffic, it accepts all traffic, forwarding unwanted messages to a cluster of decoy machines. To the outside, all ports and all IP addresses appear open in an OpenFire network. OpenFire uses the honeypot concept in its design. However, unlike traditional honeypots, OpenFire attempts to present additional false targets by making it appear to an attacker that all ports, including unused ones, and all unused IP addresses of an organization are open, with the thesis that this will help divert attacks from real services to false services. In our experiments, we defined an attack to be snort’s priority 1 alert. During a 21-day evaluation period, we found that OpenFire reduced the number of attacks on real services by 65% as compared to an unprotected system and by 46% as compared to a Honeypot-protected system. We present OpenFire’s design, its performance, and defenses against some potential attacks.