Worm Detection

Use Honeyd to increase the exposure of high-interaction honeypots:
Run Honeyd on large network, e.g. /16 or /8
Proxy connections from virtual IP addresses to real machines.
Decrease load by forwarding only interesting connections.

Sandbox Honeyd subsystems:
Run applications as subsystems in Systrace sandbox:
OpenSSH, Apache, Sendmail, etc.
Shared subsystems allow scaling up to large networks.
A shared subsystem can bind to multiple IP addresses.

Abnormal network traffic:
Deploy virtual honeypots within production networks.
Observe unusual network behavior:
Increased activity to honeypots.
Found many infected Umich machines this way.