This chapter presented an overview of cutting-edge research into high-performance honeypot deployments. We showed the three different approaches taken by Collapsar, Potemkin, and RolePlayer. Collapsar used GRE tunnels to redirect production traffic in multiple different networks to a single honeypot center. Scalability was achieved by replicating high-interaction honeypots across multiple physical servers. Potemkin provided the core insight that an unused honeypot is wasting precious resources. Instead of provisioning honeypots all the time, in Potemkin, a honeypot is created only when traffic is being received for a new destination IP address. To prevent explosive growth of resources, the virtual machines that implement the honeypots are destroyed the moment they become idle. RolePlayer took a completely different approach and offloads high-interaction honeypots by responding to known application sessions. It does not require any specific protocol knowledge and learns how to speak different protocols just by looking at examples.
Although these three systems have been implemented as research systems in universities, they are unfortunately not available to the general public. However, we can use the lessons learned and apply them to our own hybrid systems. We showed a straightforward way to use a NAT gateway to load-balance traffic among multiple high-interaction honeypots. This approach has also been taken by the iSink system. Finally, we provided some guidelines on how to modify Honeyd to provide similar filtering techniques to those employed by iSink. We hope that the insights and practical examples discussed here will help you to build your own large-scale honeynets.