Network “telescope” objectives
The Network “telescope” is a set of honeypots on dedicated internet connections to capture malicious code.
It provides also network traces of attacks (from netflow to pcap raw data) for data analysis.
Please contact us if you want to use them. It is possible in case of research interest or industrial partnership.
Malicious code and binaries capture
- Vulnerabilities emulation
- Avoid probes compromission and attacks propagation
- Malwares capture to be studied by the virology team.
- Sandboxes and AV used to analyse and identify the malwares
- Collect all information regarding the attacks
- Source IP, geographical location, server hosting the binary, preparations
- Zero-day attacks capture to define pro-active defenses
Network flows and traces capture
- Capture in PCAP and NetFlow of the attack traces
- Infection and propagation mechanisms analysis
- Objective
- Definition of pro-active perimetric defenses
- Block the attacks at their source
Large scale malwares and attacks traces collect using on low interaction honeypots
Low interaction honeypots
25 instances deployed (around 100 in the very first version)
- Dionaea
- RPC/Netbios, HTTP, FTP/TFTP, SIP/VoIP, MSSQL
- Amun
- Vulnerabilities emulated via python plugins
- Kippo
- Brute-force SSH always works and access to minimalistic shell
- Sessions and brute-force attempts are logged
- Leurrecom.org Honeypot project
- Distributed honeypots project, hosting 2 probes
- Glastopf / Glaspot
- WEB vulnerabilities
- Snort
- Intrusion detection on the whole SDSL /24 IP range
- In the past
- Nepenthes, Dionaea ancester
- Hali in colaboration with the University of Luxembourg, SSH honeypot like Kippo
Modern Honeypot Network – MHN
Centralized server and tools to manage honeypot networks
- Deploy and aggregate honeypots
- Designed for large and distributed honeypot networks
- Data stored in MongoDB
- Sensors log via HPFeeds
- lightweight authenticated publish-subscribe protocol
- supports arbitrary binary payloads
- Data normalized via Mnemosyne
- Immutable persistence for hpfeeds
- Normalization of data to enable sensor agnostic analysis
- Expose the normalized data through a RESTful API
- Attacks stream visualized with Honeymap
- Reads hpfeeds live stream
- Displays GPS locations on a SVG world map
See http://threatstream.github.io/mhn/ for more details.
Some values
Total
Stats since the 09-09-2008 to the 21-12-2014
- Total Number of Attacks 910703870
- Number of Possible Attacks 536501702
- Number of Malicious Attacks 374202168
- Number of Malwares Offered 249291391
- Number of Malwares Downloaded 39893927
Number of attacks per day
Map of real time attack