My honeynet has expanded!
I have just recently acquired a few more virtual servers out there. Now that I have different types of honeypots in the wild I thought that it might be a good time to describe them to you. In summary, I have a dionaea, p0f, amun, and glastopf honeypot out there. None of that should make sense by the way.
First, dionaea. That link goes to their homepage. Go there if you want real details about how it works and what it is. The main purpose is to properly respond to exploit attempts so that the payload is sent. A payload is simply the piece of malware the attacker is trying to use to infect the system. Essentially, it’s the goodies. Once the payload is sent, dionaea will download a copy of it. Finally, it will close the connection, thus crippling the attack.
Second, p0f. Wikipedia coming through with a great description of p0f. This is a little bit different of an idea for a honeypot. p0f is a passive OS fingerprinting service. That means that it just listens to everything that the computer communicates with. In this case, when an attack comes in it will fingerprint what type of computer is attacking. This way we can start to piece together what type of systems the enemy uses.
Third, amun. Again that link goes to their homepage. It doesn’t go terribly deep into exactly what amun does but instead what the developer has been working on. So, what it does is capture malware that’s automatically spreading across the internet. This means that there isn’t really an attacker. You could get the malware from me but that doesn’t mean I attacked you. This is a small but important detail.
Fourth, glastopf. This is similar to dionaea in a way. Glastopf sets up a vulnerable python-based web server. It will then properly respond to attacks on any of the thousands of fake vulnerabilities to gather data. This is focused only on web-based attacks.
With the four of these working together we should get a pretty well-rounded view of the wild. The next step is to start duplicating these around the world.