Anton Chuvakin Honeynet

(run as a part of the Honeynet Research Alliance)
Shutdown as of 12/06/2005

Some of the raw data from this research is shared here

Goals of the project

To learn about attacker techniques, methods and tools
Test a SIM framework under realistic attack conditions
Develop novel attack data analysis techniques for real-time correlation, anomaly detection and log data mining
Study possibilities for statistical attack prediction
Try various computer forensics tools to recover penetrated systems
Experiment with various software and hardware configurations to accumulate attack statistics
Collect Internet threat intelligence information

Progress of the Project

One honeynet is deployed since March 2002. Here are some of the findings we made and things we learned:

Quarterly report for IV 2002

Quarterly report for I 2003

Quarterly report for II 2003

Quarterly report for III 2003

Quarterly report for IV 2003

Bi-annual report for 1/2 2004

Bi-annual report for 2/2 2004 [03/28/2005]

Honeynet Architecture

Initial setup includes 3 servers on a separate high-speed connection. Network topology diagram is shown below:

Victim server (Linux, *BSD). Server is running www-apache/mail-sendmail/pop3/imapd/ftp/ssh-openssh/nfs/ntp/other services

Firewall (using modified Honeynet project iptables script, remotely managed via ssh, logs forwarded to machine 3).

IDS and analysis machine (Snort NIDS, Snort Spade, Bro NIDS, Argus, tcpdump, ipaudit, Shadow NIDS collector for IDABench, Honeynet Research Alliance compliant logging, mysql database, ACID, ssh for management, SIM agent, protected by host-based iptables firewall from all accesses with the exception of analyst workstation [see picture]).

Data control, system management, alerting and information storing is to be implemented in strict compliance with Honeynet Definitions, Requirements, and Standards document ( http://project.honeynet.org/alliance/requirements.html)

Some honeynet research results

[ready]Current Internet Worm profiles: MSBlaster, CodeRed, Slammer, Welchia. How much worm is out there...
[ready]My Scan of the Month Challenge #30 created using honeynet data and my official write-up for it.

Live Honeynet Status Data

STATUS: shut down

Papers describing my recent honeynet research and data analysis

(06/18/2002) "Lessons of the Honeypot I: Aggressive and Careless" describes some of the lessons one can get from running a honeypot [published at SC Magazine web portal]
(09/25/2002) "Lessons of the Honeypot II: Expect the Unexpected" outlines how honeynets and honeypots present an ultimate challenge in information security [published at SC Magazine web portal]
(10/08/2002) "Whys and Hows of Honeynets and Honeypots" discusses issues in setting up and maintaining honeypots and honeynets, covers some of the honeynet data control and data capture requirements and touches on benefits from research honeypots in discovering attacks and attack patterns. [published in the ISSA "Password" magazine]
(01/17/2003) "Honeypot Essentials" The paper describes the honeypot technology and how it can be used. [published in the "Journal of Information Systems Security"]
(04/25/2003) "Days of the Honeynet: Attacks, Tools, Incidents" The paper covers some of the daily events happening in the honeynet - decoy network - run by the author [published at LinuxSecurity.com] Also featured on InfosecWriters.com
(07/24/2003) "Honeynets: High Value Security Data" The article covers the types of data collected from the honeynet and its value for security [published in the Elsevier Compsec Online portal]

Presentations describing my recent honeynet research and data analysis

Implementing the Honeypot

My honeynet tools

About the project

This honeynet is run by Dr. Anton Chuvakin, as a part of Honeynet Research Alliance. My PGP key can be found here.

Last modified: Wed May 25 11:59:50 Eastern Standard Time 2010