To sucessfully deploy Honeyd in either a small-scale or large-scale deployment, it is important to understand how well it performs for different configurations on a given computing platform. This section gives a brief overview of Honeyd's performance on a 1.1 GHz Pentium III over an idle 100MBit/s network. By observing how fast it can return large-size ping packets, we find that Honeyd's aggregate bandwidth can easily keep up with 80MBit/s of incoming traffic. The number of templates do not seem to affect the performance of Honeyd much either. When increasing a configuration from one virtual honeypot to a system in which there are over 250,000 templates, the processing time increases from 0 .022ms per packet to only 0.032ms. This boils down to about 31,000 packets per second, which is not bad at all.
However, the most interesting measure is how many TCP connections such a system can sustain. We measured a a simple internal echo service. After it accepts a TCP connection, it outputs a single line of status information and then echos all the input it receives. We measured how many TCP requests Honeyd can support per second by creating TCP connections from 65536 random source IP addresses to 65536 random destination addresses. To decrease the client load, we developed nttlscan, a tool that creates TCP connections without requiring state on the client. A request is successful when the client sees its own data packet echoed by the echo service running under Honeyd.
Figure 5.12 shows that Honeyd can sustain about 2000 TCP transactions per second. Performance decreases slightly in the case where each of the 65K honeypots is configured individually. We also show how the performances decreases when a virtual routing topology, has been configured. The deeper the topology, the larger the performance impact. This is due to additional buffering of packets. To scale in such an environment, a fast computer with lots of memory is necessary. However, even on a modest system, it is possible to simulate thousands of different honeypots.