Honeyd Research: Performance

As Honeyd can simulate thousands of machines and address space that can be arbitrarily large, it is important to analyze how Honeyd performs.

This simple analysis looks at the bandwidth Honeyd can support when responding to ICMP ping requests. We check the number of returned ICMP packets for sending ping requests to the interface of the host that Honeyd runs on, to the IP address of the entry router that Honeyd simulates and to random IP addresses in C-class networks in the simulated routing topology. One C-class network is one hop away from the entry router, the other one is two hops away.

In general, Honeyd makes use of advanced data structures to increase performance. The routing topology at each router uses ternary trees and provides O(log(n)) lookups for networks. Other data structures within Honeyd use hash tables or splay trees.

To determine Honeyd’s TCP performance, we measure the number of TCP transactions per second that Honeyd supports for different configurations. The upper graph on the right shows the performance when using the default template for all honeypots and when using an individual template for each honeypot. Performance decreases slightly when each of the 65K honeypots is configured individually. The lower graph shows the performance for contacting honeypots at different levels of a routing topology. On a 1Ghz Pentium II processor, Honeyd supports about 2000 transactions per second.

Support

If you have suggestions on how to improve performance or would like to make resources available, please let me know.