"Is this just a theoretical defence against Honeynets, or has it been demonstrated in principle / observed in the wild?
Has somebody done it and shown it to work on a limited network yes.
Have they written up a paper about it no (though they might I will have to check with them).
As for in the wild, I am not sure anybody has gone looking for this class of attack yet.
By the way it is a series of attacks not just a single attack. They are variations on different "Side Channel" attacks based on using the available timing information from the target machine, both time stamps and other visable effects in timing.
I will describe one attack which will work just about from anywhere on the Internet to a Honynet machine which has multiple OS's and IP addresses hosted on it.
First I will give you the background on it so you can find the info to Do It Yourself as it where,
About a year and a two thirds ago Bruce bloged about "Remote Physical Device Fingerprinting"
The artical on which it was based is available from,
At the time I commented that,
"This "attack" is a form of tempest attack, and the old addage about the information "energy and bandwidth" apply. Interestingly looking at their paper they have missed a couple of things that might provide more information about the computer. Basically the resonant frequency of an Xtal oscilator is decided by the elctrical and physical charecteristics of the circuit. These means that the frequency changes with the applied voltage, temprature, mechanical vibration. So it there is sufficient bandwidth in the time detection method it might well be possible to tell things about the environment the laptop is in and how much it is being used (heavy calculation take the temprature up and drops the powersupply voltage slightly).
And also a couple of sugestions for a quick hardware fix. From which you can see that I had given some thought to the problem. One item I did not realy go into further was,
"heavy calculation take the temprature up"
This was independently taken up by a couple of people at Cambridge Labs and they developed into an attack against Anonymous servers such as TOR's in their paper,
Although they considered the use of systems with two IP addresses in the box they did not expand on the idea any further.
Well one of the problems with Honeynets is the need to look real, in a cost efficient manner as well as having the machines not send uncontroled data out to the Internet.
The easy solution is to host multiple OS&IP's on a single host or to use an OS that responds to multiple IP addresses. The box has one or more network cards that are on the Honeynet. The box is also unused by a real user to address the Internet traffic from the box issue this is an important issue as a new attack might only be visable after it has worked and is starting to send requests back to the Internet.
Well on such a machine the one thing that remains in common is it's system clock or XTAL any drift in this is identicaly observable on all the IP addresses and network cards.
As a Cracker all you need to do is get the timing information from a range of IP addresses on the target and cross corelate them with each other. Those that show identical skew or other effects are with high probability the same machine.
If there are just one or two IP's with the same skew in a range of IP addresses then it might be a real working network, in say a software development environment.
However if there are a significant number then there is a reasonable chance it's a Honeynet or other similar network. As a "wiley Cracker" you will treat it like a bag of snakes and go somewhere else.
You can do other types of timing attack to achive similar results.
You can also use the same technique to identify individual machines behind certain types of load sharing system.
Why would you want to do this well imagine you are a small company using a Hosting Company to put your web site up. You write secure web code and do reasonable testing so not realy a problem.
However the hosting company to better utalise resources puts several other web sites on the same box and they might not be as secure. Even if they say they don't/won't at some time or another there is a chance they will just to maintain service. Several hosting companies are known to do this when there are "technical difficulties" in order to maintain continuation of service and avoid taking ASL penalties (often it's in the paperwork right down in the fine print).
A Cracker might then be able to find a poorly written web site on the same box as your web site, and get a toe hold into the server box, then escalate their way into your secure web site to get at your data or other information.