The SISSDEN sensor network is composed of VPS provider hosted nodes (procured at a cost from the VPS providers) and nodes donated to the project by third-parties acting as endpoints. These VPS nodes are not the actual honeypots themselves. Instead, they act as transparent layer 2 tunnels to the SISSDEN datacenter. Attack traffic directed at IP addresses assigned to the VPS nodes is delivered via these transparent layer 2 tunnels to corresponding VMs in the datacenter which run the actual honeypots themselves, in the form of dockerized containers. The honeypots in the datacenter then respond to attacks with the tunnelled IP addresses from the VPS nodes. From the point of view of the attacker, this tunneling is invisible and it appears that all network communications is coming from the VPS nodes themselves.
The architecture deployed allows for easier management of the honeypots. Instead of having to remotely manage (and remotely maintain) honeypots at the VPS provider locations, all honeypots can be standardized and centrally managed in one datacenter instead.
Multiple types of honeypot systems are deployed within SISSDEN, in the form of multiple VM instances running honeypots packaged in docker containers. Each honeypot VM emulates different services with one or more potential vulnerabilities and collects data about attacks observed against those services. Honeypots located in the backend have a standard configuration and standard data collection formats, and are injected into appropriate transparently tunneled network VLANs to collect attack data using the IPv4 addresses transparently layer 2 tunneled from the target VPS Provider network.
Honeypot event data is live streamed to a publish/subscribe message broker system (HPFeeds). Multiple clients push and pull data from these message broker channels in real time, such as for ingesting published event data into the backend data storage systems. The AWS S3 protocol is used to transport binary object data (such as malware or PCAP files) to the backend.
The honeypots deployed are modified to support HPFeeds (for events) and/or S3 (for binary object transfer) when necessary. In the case of HPFeeds, there must be appropriate event data generated that can be sent to a particular channel; in the case of S3, the honeypot must capture malware binaries or packet capture files which can be stored on the backend Pithos S3 instance.
The honeypots deployed as part of the core sensor network at the end of the H2020 SISSDEN project pilot include 13 types (22nd April 2019):
Honeypot | Description | Instances running (as of 22nd April 2019) | Attack events collected (from May 1st 2018 to 22nd April) |
CiscoASA | Cisco ASA honeypot | 25 | 13 365 |
Cowrie | SSH/Telnet honeypot | 85 | 445 704 244 |
Conpot |
ICS/SCADA honeypot | 94 | 3 312 487 |
Dionaea | Multipurpose honeypot | 91 | 7 413 572 |
Elasticpot |
Elasticsearch honeypot | 92 | 102 685 |
Glastopf |
Web honeypot | 94 | 37 493 304 |
Heralding |
Credential catching honeypot | 96 | 524 758 226 |
Honeypy |
A multipurpose honeypot | 10 | 184 993 105 |
MICROS |
MICROS honeypot | 15 | 44 682 |
Rdpy |
Remote desktop honeypot | 10 | 21 695 |
Spampot | Spam catching honeypot | 85 | 809 751 483 |
Struts |
Apache Struts Honeypot | 10 | 19 450 |
Weblogic |
Weblogic honeypot | 15 | 4 474 |
For the period from May 1st 2018 till the 22nd of April 2019, the honeypots deployed as part of the SISSDEN sensor network collected around 2 013 600 000 attack events (number rounded for presentability). Note that comparing numbers of attack events across different honeypot types is not always practical - for example cowrie aggregates events in HPFeeds in sessions, while honeypy or heralding do not, leading to disparities in the events collected. Additionally in the case above, different honeypot types were deployed at different points in time.
The number of attacks observed will be exceeded by the project end date of the 30th of April, providing a truly broad and deep “big data” security data set of daily attacks observed against almost 981 honeypot IP addresses hosted on 119 different ASNs located in 58 different countries, including all EU member states.
The honeypots deployed are complemented by 3 external honeypot sensor networks: 1 made up of DDoS honeypots, 1 made up of new IoT honeypots and 1 based on T-Pot.
Have you developed a novel honeypot type? Interested in collaborating in deploying your honeypot? We may be able to help.
Contact us through the SISSDEN Customer Portal.