Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2017-08-03 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Using a Raspberry Pi honeypot to contribute data to DShield/ISC

Published: 2017-08-03
Last Updated: 2017-08-03 14:06:22 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

We have been working for a while now on a honeypot based on a Raspberry Pi. Thanks to our volunteers, we now have a version of the honeypot that provides us not just with the firewall data that we usually collect, but also with data about telnet/ssh and web attacks. Traditionally, we have focused on firewall logs, and we will, of course, continue to collect them. But it has become more difficult to collect logs from many consumer level firewalls. The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.

To participate, you will need a Raspberry Pi that is exposed to internet traffic. You can do so by either connecting it directly to your cable/DSL modem or by exposing it to Internet traffic via your firewall. But it is important that the device will receive more or less unfiltered traffic (it is ok if a couple of ports are blocked or used by other services). The Raspberry Pi should be dedicated to the task as a honeypot.

We have tested the system with a Raspberry 2 and 3. It works best if you use the wired network interface, but a WiFi connection should work as well.

To install the honeypot, it is best to follow the instructions in our GitHub repository for the project: https://github.com/DShield-ISC/dshield .

The short version of the instructions:

  1. Setup an account here to submit your reports
  2. Install the base Raspian OS (the Lite version will do)
  3. Install "git" (sudo apt install git)
  4. clone the repository (git clone https://github.com/DShield-ISC/dshield.git)
  5. run the install script.

But please see the full instructions for additional details.

What do you get out of it?

First of all, you are contributing to an awesome project that measures the internet's "background radiation" for about 16 years now. Our data is regularly used by researchers to improve defensive recommendations and to validate and observe trends in attack patterns. All of our data is made available for free under a creative commons license.

Secondly, you will be able to review summaries of your data via this site. Your data will be linked to IP address reports and summaries of data submitted by others.

In talking to people interested in submitting in the past, I often hear the following arguments against it, which I call my "top myths not to submit data":

  • My data isn't all that interesting
    Absolutely right. Your data, by itself, isn't all that interesting. But it becomes interesting once we can correlate it with data from other users. What we are looking for is "average home users," small businesses and just about anybody connected to the internet. We are not trying to find the next APT. Instead, we are looking for the next worm or bot scanning the internet for a new vulnerability, which may not even be a zero day.
  • My employer will not allow me to submit data
    No need to submit data from work. Your home connection will work just fine (see above)
  • It is hard to submit data
    I hope we make this easier using this Raspberry Pi honeypot. It shouldn't take much "care and feeding." Maybe an update once a month with new software.

We try our best to make this honeypot secure. We do use software like Cowrie and some additional python scripts to emulate services. We rather allow the honeypot to be fingerprinted as a honeypot then having it exploited.

If you do however find any bugs (security or functional), then please submit a report via GitHub ( https://github.com/DShield-ISC/dshield/issues ).

We are in the process of making the same code work in an Ubuntu virtual machine. For some that already have a local virtual machine setup, this may be an easier method to deploy these honeypots.

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

13 comment(s)
Diary Archives