Telescope

Network “telescope” objectives

large_bear_with_honeypotsThe Network “telescope” is a set of honeypots on dedicated internet connections to capture malicious code.

It provides also network traces of attacks (from netflow to pcap raw data) for data analysis.

Please contact us if you want to use them. It is possible in case of research  interest or industrial partnership.

 

Malicious code and binaries capture

  • Vulnerabilities emulation
    • Avoid probes compromission and attacks propagation
  • Malwares capture to be studied by the virology team.
  • Sandboxes and AV used to analyse and identify the malwares
  • Collect all information regarding the attacks
    • Source IP, geographical location, server hosting the binary, preparations
  • Zero-day attacks capture to define pro-active defenses

Network flows and traces capture

  • Capture in PCAP and NetFlow of the attack traces
  • Infection and propagation mechanisms analysis
  • Objective
    • Definition of pro-active perimetric defenses
    • Block the attacks at their source

Large scale malwares and attacks traces collect using on low interaction honeypots

 Low interaction honeypots

25 instances deployed (around 100 in the very first version)

  • Dionaea
    • RPC/Netbios, HTTP, FTP/TFTP, SIP/VoIP, MSSQL
  • Amun
    • Vulnerabilities emulated via python plugins
  • Kippo
    • Brute-force SSH always works and access to minimalistic shell
    • Sessions and brute-force attempts are logged
  • Leurrecom.org Honeypot project
    • Distributed honeypots project, hosting 2 probes
  • Glastopf / Glaspot
    • WEB vulnerabilities
  • Snort
    • Intrusion detection on the whole SDSL /24 IP range
  • In the past
    • Nepenthes, Dionaea ancester
    • Hali in colaboration with the University of Luxembourg, SSH honeypot like Kippo

Modern Honeypot Network – MHN

Centralized server and tools to manage honeypot networks

  • Deploy and aggregate honeypots
  • Designed for large and distributed honeypot networks
  • Data stored in MongoDB
  • Sensors log via HPFeeds
    • lightweight authenticated publish-subscribe protocol
    • supports arbitrary binary payloads
  • Data normalized via Mnemosyne
    • Immutable persistence for hpfeeds
    • Normalization of data to enable sensor agnostic analysis
    • Expose the normalized data through a RESTful API
  • Attacks stream visualized with Honeymap
    • Reads hpfeeds live stream
    • Displays GPS locations on a SVG world map

See http://threatstream.github.io/mhn/ for more details.

index

 

 

Some values

Total

Stats since the 09-09-2008 to the 21-12-2014

  • Total Number of Attacks                 910703870
  • Number of Possible Attacks            536501702
  • Number of Malicious Attacks         374202168
  • Number of Malwares Offered          249291391
  • Number of Malwares Downloaded  39893927

 

Number of attacks per day

 

MHN_dashboard

Map of real time attack

 

MHN_MAP