Anti-fingerprinting¶
HYDRA implements deep anti-fingerprinting to defeat the standard techniques attackers use to identify honeypots.
Techniques¶
SSH banner¶
The SSH banner is set to exactly match a real Ubuntu server:
Many honeypots use generic or incorrect banners. HYDRA's banner matches the persona's OS version precisely.
/proc/1/cgroup¶
Traditional honeypots running in Docker expose container traces in /proc/1/cgroup. HYDRA returns a clean cgroup output with no Docker, containerd, or LXC references — exactly what a bare-metal Ubuntu server would show.
Authentication delay¶
Real SSH servers take 0.5–2.0 seconds to process authentication under load. HYDRA adds a randomized delay in this range. Instant authentication (0ms) is a classic honeypot tell.
Kernel coherence¶
uname -r returns a kernel version that matches the persona's Ubuntu release. The same kernel appears in /proc/version, boot logs, and any other location an attacker might check.
Kinsing evasion detection¶
The Kinsing botnet uses /bin/./uname (with a dot-slash) instead of /usr/bin/uname to evade simple command matching. HYDRA's cmd_router normalizes these paths and handles them correctly — 148 Kinsing sessions were captured without detection.
Response timing jitter¶
LLM responses are artificially delayed with random jitter to simulate realistic I/O latency. An instant response to cat /etc/shadow (which should involve disk I/O) would be suspicious.
Universal filler files¶
A real /root directory always has residual dotfiles from normal usage: .Xauthority, .lesshst, .viminfo, .rnd, .putty/, etc. HYDRA adds these "filler files" to every persona so that ls -la /root doesn't show a suspiciously clean directory with only 4 files.