Anton Chuvakin Honeynet
(run as a part of the Honeynet Research Alliance)
Shutdown as of 12/06/2005
Some of the raw data from this research is shared here
Goals of the project
- To learn about attacker techniques, methods and tools
a
- Test a SIM framework under realistic attack conditions
- Develop novel attack data analysis techniques for real-time correlation, anomaly detection and log data mining
- Study possibilities for statistical attack prediction
- Try various computer forensics tools to recover penetrated systems
- Experiment with various software and hardware configurations to accumulate attack statistics
- Collect Internet threat intelligence information
Progress of the Project
One honeynet is deployed since March 2002. Here are some of the findings we made and things we learned:
Quarterly report for IV 2002
Quarterly report for I 2003
Quarterly report for II 2003
Quarterly report for III 2003
Quarterly report for IV 2003
Bi-annual report for 1/2 2004
Bi-annual report for 2/2 2004 [03/28/2005]
Honeynet Architecture
Initial setup includes 3 servers on a separate high-speed
connection. Network topology diagram is shown below:
Victim server (Linux, *BSD). Server is
running www-apache/mail-sendmail/pop3/imapd/ftp/ssh-openssh/nfs/ntp/other
services
Firewall (using modified Honeynet project iptables script, remotely
managed via ssh, logs forwarded to machine 3).
IDS and analysis machine (Snort NIDS, Snort Spade, Bro NIDS, Argus, tcpdump, ipaudit, Shadow NIDS collector for IDABench, Honeynet Research Alliance compliant logging, mysql database, ACID, ssh for management, SIM agent, protected
by host-based iptables firewall from all accesses with the exception
of analyst workstation [see picture]).
Data control, system management, alerting and information storing is
to be implemented in strict compliance with Honeynet Definitions,
Requirements, and Standards document
(
http://project.honeynet.org/alliance/requirements.html)
Some honeynet research results
Live Honeynet Status Data
STATUS: shut down
- [ready]Top probed ports statistics (daily, weekly, monthly)
- Top attacked ports statistics (daily, weekly, monthly)
- [ready]Top Snort NIDS alarms (daily, weekly, monthly) detected at the honeynet
- Top probing IP addresses (daily, weekly, monthly)
- Top attacking IP addresses (daily, weekly, monthly)
- Top aggressive scanners (daily, weekly, monthly)
- Top attacking countries (daily, weekly, monthly)
- Honeynet traffic profile (weekly)
Papers describing my recent honeynet research and data analysis
Presentations describing my recent honeynet research and data analysis
My honeynet tools
About the project
This honeynet is run by
Dr. Anton Chuvakin,
as a part of Honeynet Research Alliance. My PGP key can be found here.
Last modified: Wed May 25 11:59:50 Eastern Standard Time 2010