Archive for December, 2012

UK Honeynet Project Chapter Annual Status Report For 2011/2012

Tuesday, December 4th, 2012

As part of membership requirements, each year, all chapters of the Honeynet Project must post annual reports that detail what their chapter members have been working on during that period. The reporting period got a bit mixed up recently, so this is the UK Chapter’s annual report for both 2011 and 2012. You can find the status reports for other Chapters on the main Honeynet Project website.


Current UK Chapter members are:

David Watson – Full member, Chapter Lead, Honeynet Project Chief Research Officer
Arthur Clune – Full member
Jamie Riden – Full member
Steve Mumford – Alumni member

As you may have noticed from the lack of recent updates to our UK Chapter blog, during this period our members have either mostly been involved in activities under the core Honeynet Project, rather than UK-specific chapter activities, or have been busy with personal/professional lives so have had limited time to contribute here. That has unfortunately reduced public facing UK Chapter activity to lowest point in many years.

We have had a number of membership inquiries during this period, and potentially could increase our chapter membership, but to be honest, we have avoided bringing in new UK Chapter members whilst UK activity levels were low and no-one had the time to adequately support new members. Hopefully that situation will improve in 2013 and we’ll see increased UK Chapter output once again.


During this period we have had a mix of honeynet technologies deployed. Some have been part of long term data collection efforts, whilst others have been shorter term deployments – often for testing of new tools.

Long term deployments:

1) [David] Our version 1 HonEeeBox pre-packaged (Nepenthes) low interaction sensor project was active at the start of this reporting period, but has since switched over to the version 2 HonEeeBox system. Although the version 1 system is no longer being maintained, Just for reference purposes, two of the original HonEeeBox v1 sensors are still running and the total amount of data collected to date by the old system is:

Sensors: 43

Total Attacks: 2,401,582

Total Attacker IPs: 36,632

Total Victim IPs: 214

Total MD5sums: 4,665

Total malicious binary size: 559 Mbytes

2) [David] Like the v1 Nepenthes based HonEeeBoxes, the first releases of the Dionaea powered HonEeeBox v2 system still initially submitted data to a submit_http backend, which was developed during GSoC 2011. We have run a honey cloud hosted instance of that old backend, plus a couple of sensors for most of this period. The data has only been retained for historical purposes.

3) [David] Later v2 Dionaea based HonEeeBoxes were HPFeeds-enabled, and we have been submitting data to the Honeynet Project’s shared HPFeeds system from multiple physical and virtual sensors since it went live. These are a mix of Asus EeePC based physical HonEeeBoxes on domestic ADSL/FTTC lines, or cloud provider hosted VM instances. Current rough volumes of Dionaea events captured through HPFeedsvto date are:

Sensors: 44

Total Attacks: 14,552,708

Total Attacker IPs: 300,451

Total Victim IPs: 2,410

Total MD5sums: 7,865

Total malicious binary size: 2.6 Gbytes

Data and binary samples collected from each of the above systems were shared with the Shadowserver Foundation and VirusTotal, for automated AV and sandbox analysis, and hopefully eventual remediation of infected hosts. Enriched data has has also been logged locally in an instance of the GSoC 2012 HonEeeBox backend project, that we hope to continue developing with the student Gyoergy in 2013. Longer term we hope to be able to expand the number of sensors to 100+ and release public visualizations of these attacks.

4) Jamie has recently deployed a couple of local HPFeeds-enabled Dionaea sensors too, which are also feeding the main Honeynet Project shared HPFeeds instance.

5) During the start of this period David was still running a legacy Global Distributed Honeynet (GDH2) high interaction sensor node on a domestic DSL connection (since disabled). That included a Honeywall plus a mix of low and high interaction honeypots, mostly on Linux.

6) At points during this period, David ran a mix of Capture-HPC high interaction client honeypots, HoneySpiderNetwork low/high interaction client honeypots, and PhoneyC and Thug low interaction client honeypots.

7) David has helped provide the infrastructure used by other Project members in various botnet related studies and takedown activities. More information about these activities will hopefully eventually be made public.


During this period we built or worked on the following tools:

1) [David] HonEeeBox pre-packaged low interaction honeypot sensor system and associated back/front ends. We hope to continue this development work in 2013, increasing the number of sensors, adding low interaction SSH honeypot capabilities through Kippo, adding options for centralized monitoring and management, and perhaps including proxy/client honeypot elements too.

2) David and Arthur were mentors for GSoC 2011/2012 on HonEeeBox backend and front end development, which we also hope to continue in the future, eventually releasing a public Django/JS based user interface to replace the previous private ExtJS based HonEeeBox v1 prototype interface.

3) Minor support for our Honeysnap tool, when end user requests or bug reports were received.

4) We have tried to provide suggestions for improving some existing tolls or adding new features to new projects, such as the excellent Cuckoo Sandbox or aging Honeywall system.

For our current R&D activities:

1) David built a number of data visualization tools based on, but didn’t get around to publicly releasing them. He very much hopes to rectify this failing in 2013 😉

2) Arthur is currently working on a pastebin scraping system, which will hopefully generate some interesting data for future analysis.

3) David has recently been working on spam pots with CERT.BR and the Shadowserver Foundation, which will become part of a larger scale distributed honeypot effort in 2013.

4) David has some ideas for next generation honeynet data capture systems and is currently exploring them. Will eventually share concepts and prototypes with members then the public at a suitable point.

5) Earlier in 2012 David ported the HonEeeBox system to the Raspberry Pi platform, to potentially provide another very low cost means of potentially distributing low interaction honeypot sensor systems. He will attempt to blog this information and release a disk image here in the next few days. Apologies to anyone waiting to use it for the delay! 😉

In general, we are still interested in large scale distributed honeynet sensor deployments and the tools necessary to store/manage/automate/visualize collected data. We would also like to see the ongoing development of high interaction honeypot technologies, or next generation alternatives for gathering such data. We’d like to continue to collaborate with anyone interested in the same goals, and to perhaps also run some more UK-focused future activities too.


Unfortunately nothing to be shared with the public at this time except the observation that running public internet facing low interaction honeypots to detect network spreading malware generally only results in a lot of Conficker samples!


Since last chapter status report, recent speaking engagements for David were:

September 2010 – Hands-on honeynet training classes for CNCERT/CC and FIRST TC, Beijing CN
September 2010 – Whats New In Honeynets presentation CNCERT/CC and FIRST TC, Beijing CN
November 2010GovCERT.NL security symposium, Rotterdam NL
December 2010 – 2 weeks of teaching hands-on honeynet classes, giving presentations, attending meetings, etc in Tokyo for NTT CERT, NTT, Hitachi, Nippon CSIRT Association (NCA), SECOND group, JP CERT, various national ISPs, etc.
January 2011 – BBC NewsNight Cyber Attacks
March 2011Honeynet Project annual workshop Paris FR. Public R&D overview presentation, private P1 research, GSoC, HonEeeBox and Shadowserver presentations/sessions.
March 2011 – October 2011 – Organisational administrator for Honeynet Project Google Summer of Code 2011 and student project mentor.
June 2011 –  CERT.EE Security Symposium, Tallin, EE.
October 2011 –  Google Summer of Code Mentor’s Summit, Google CA.
February 2012 –  Shadowserver Foundation annual workshop, San Jose, CA. Presentation on Honeynet R&D and GSoC.
March 2012Honeynet Project annual workshop Facebook, CA. Public hands-on honeynet training class, public R&D overview presentation, private P1 research, GSoC and HonEeeBox presentations/sessions.
March 2012 – October 2012 – Organisational administrator for Honeynet Project Google Summer of Code 2012 and student project mentor
June 2012 –   CERT.EE Security Symposium, Tallinn, EE. Presentation on recent honeynet R&D.
September 2012 – conference at Interpol, Lyon, FR.
October 2012 –  Google Summer of Code Mentor’s Summit, Google CA.

David will be teaching a 2 days hands-on honeynets class at the Honeynet Project’s next annual workshop in Dubai (which should be another great international event if you are interested in the cutting edge of honeynet R&D, so please check it out!), along with hopefully leading discussions again during private workshop events on honeynet R&D, GSoC and HonEeeBox, amongst others.

UK Chapter members have also attended UK-specific industry events such as Infosec UK and JANET meetings. Jamie presented at OWASP Birmingham in September and OWASP Edinburgh in November.

We continue to be active on both internal and external IRC and email, although UK-specific blogging activity has been poor. Chapter members have been involved in various Honeynet Project committee mailing lists, such as annual workshop organization, membership committee and infrastructure support. Members also individually participate in various other open or closed info-sec vetted communities too.


Since most activity by UK Chapter members was general Honeynet Project activity, we would like to continue to remain active members but also try to increase UK-specific activity.

We would like to see the recent GSoC work on HonEeeBox sensor back/front ends result in a public UI release.

We would like to release some interesting visualisations of existing data sets, then try and engage the wider infosec and data visualisation communities on how best to improve them. We may try and run a series of public Data Visualisation challenges in 2013.


Other activities that our Chapter members have been involved in during this period:

David was a Director of the Honeynet Project in 2011 and remains the Chief Research Officer (CRO). Involvement with various fund raising efforts and proposals (some under NDA), some of which resulted in additional financial support for the Honeynet Project‘s annual workshops in 2012 and 2013, and some of which are ongoing.

David collaborated on a EPSRC network proposal with Queens University Belfast Information Security Centre.


David was a GSoC student project mentor in 2011 and 2012 (and GSoC Org admin), Jamie was a student project mentor in 2010 and 2012. Arthur was a GSoC student project mentor in 2012 and helped with student selection in 2011.