Since 2008 this project is no longer maintained.
These pages are still online for historical reasons. Use the
information in these pages just for reference of past work developed
while the project was still running.
Status Report: May 2006 -- April 2007
Misc Activities |
Lessons Learned |
Future Goals |
Previous Reports |
Current honeynet deployed
Currently we have one honeynet deployed with a topology comprised of:
- One administrative network comprised of three machines: one
operating in bridge-mode running pf and capturing all incoming
and outgoing traffic; one capturing all the traffic in the
Honeynet; and a machine dedicated to forensics.
- The honeynet itself, composed of several machines running
different operating systems and services. The following i386
systems were deployed in our honeynet in the past months:
- 1 Windows 2000 Pro (pt-BR)
- 1 Windows XP Professional (en)
- 1 Windows XP Professional (pt-BR)
- 2 Linux Slackware 11.0
Current Status of the Brazilian Honeypots Alliance -- Distributed
The Honeynet.BR team has been deeply involved in the maintenance and
expansion of the Brazilian Honeypots
Alliance -- a network comprised of distributed low-interaction
honeypots (Honeyd), deployed in academic, commercial, governmental and
The objective of this project is to increase the capacity of incident
detection, event correlation and trend analysis in the Brazilian
Since last April 2006 several new partner institutions joined the
- PoP-PR -- Paraná State
Point of Presence of the Brazilian Research Network;
- UFPA -- Federal University of
- UOL -- Universo OnLine
- PUCPR -- Paraná Catholic
- Unisinos -- University of
Vale do Rio dos Sinos;
Currently we have 36 partner institutions in the project, and new
prospective ones are in the final phase of deployment.
New Project: SpamPots
The SpamPots Project objective is to measure the abuse of end-user
machines to send spam. This project is conducted by CERT.br and sponsored by NIC.br, the executive branch of the Brazilian Internet Steering Committee.
In this project we are using 10 low-interaction honeypots, placed in 5
different broadband/cable providers, to collect data about the use of
home computers with broadband connectivity as part of the spam
infrastructure. The architecture of the project, as well as
preliminary data that have already been collected and analyzed, will
be released publicly on two presentations in May 2007:
- AusCERT Asia Pacific Information Technology Security Conference,
May 23, 2007, Gold Coast, Australia.
- LACNIC X Network Security Forum, May 23, 2007, Isla Margarita,
As part of this project we are working on better ways to collect and
correlate data seen in different networks and, together with a
Brazilian Federal University, developing new data mining algorithms to
Number and type of systems compromised
We had 3 machines compromised:
- 1 Windows 2000 Pro (pt-BR)
- Compromised by an attack similar to the one performed by
- 2 Linux Slackware 11.0
- Compromised by SSH brute force
Trends seen in the past months
In the past few months we have seen that the number of brute force
attacks against SSH servers have remained steady, as weel as bot
activities. Scanning for Open Proxies (SOCKS) was really high on the
low-interaction honeypots of the Brazilian Honeypots Alliance.
Daily and weekly statistics are publicly available at our website:
The Slackware High-interaction Honeypots have been compromised by SSH
brute force attacks (dictonary has been gathered). The Windows 2000
has been compromised by a vulnerability similiar to that exploited by
the Sasser worm.
The intruders have installed IRC clients on the Windows 2000 and in
one of the Linux compromised honeypots. After compromised, both
honeypots joined a botnet.
As soon as we redeployed the honeypots, the attackers quickly
installed their botclient on them, the same way they did the first
Presenting at conferences and giving workshops
- Honeypots Workshop, presented at Q-CERT, Doha, Qatar,
Cristine Hoepers and Klaus Steding-Jessen, April, 2007.
This was a 2-day hands-on workshop with 14 attendees from the
Middle East region. The attendees were from the Qatar Telecom,
CISCO Qatar and Q-CERT, the National CERT for Qatar, that is
also fostering the creation of other CSIRTs in the region, and
plan to start deployment of honeypots soon.
- The Brazilian Honeypots Alliance, presented at FIRST
Technical Colloquium, Doha, Qatar, Cristine Hoepers and Klaus
Steding-Jessen, April, 2007.
- Distributed Honeypots Network Implementation based on
OpenBSD and Free Software Tools, presented at
fisl8.0 -- 8th International Free Software Forum, Porto
Alegre, Brazil, Marcelo H. P. C. Chaves, April, 2007.
[PDF presentation ]
- Honeypots as a Tool to Improve Incident Response Readiness
at USP, presented at Educause Security Professionals
Conference, Denver, Alberto Camili and Isabel Chagas April,
- The Brazilian Honeypots Alliance, presented at RIPE 53,
Amsterdam, Netherlands, Marcelo H. P. C. Chaves, October, 2006.
- Distributed Honeypots Project: How It's Being Useful for
CERT.br, presented at the Collaboration Meeting for CSIRTs
with National Responsibility, Pittsburgh, PA, Cristine Hoepers
and Klaus Steding-Jessen, July, 2006.
- Implementação de uma Rede de Honeypots Distribuídos
Utilizando OpenBSD e Ferramentas de Software Livre, Marcelo
H. P. C. Chaves, fisl8.0 -- 8° Fórum Internacional
Software Livre, Porto Alegre, Abril de 2007.
[PDF presentation ]
Tools under development
- Still working on improvements in the public statistics. The
current public statistics are generated from flows of malicious
activity from 24 hour period. We are currently working on the
generation of new public statistics, from shorter periods and
more detailed information about ports and trends observed.
The work is progressing slower that planned because we need to
overcome difficulties regarding partners honeypots bandwidth
and disk space limitation, among others.
- The work on our Honeyd listener to emulate the SOCKS 4/5
protocol to be used as a spamtrap has evolved a lot during this
period of testing in the SpamPots Project. As soon as it is
ready for release it will be posted on the website
- We have developed a graphic visualization tool for all events
monitored on the honeynet throught a timeline diagram. The
analyst can interact with the diagram by a web interface
refining data for analysis.
- A type of honeyclient has been developed to harvest malicious
binaries. Using this system we merged previous malware
gathered through compromised honeypot forensics to new
malware actively gathered by the honeyclient, producing a
repository with thousands of binaries.
- Botnets protocol identification and study methods have been
developed and will be published soon.
- Data usage in Incident Handling
The data collected in these honeypots are being used by CERT.br to notify network
administrators whose networks are involved in malicious
- We have been using and testing Honeymole and Honeywall
according to our needs.
Most of the activities are continuously being conducted by automated
bots/worms or spammers looking for open proxies.
In the next months we intend to focus the work in these tasks:
- Improve the statistics of the Brazilian Honeypots Alliance --
Distributed Honeypots Project;
- Continuously expand the network of
distributed honeypots, gathering new partners and covering
a larger portion of the Brazilian Internet address space;
- Considering joining the GDH initiative in the next 6 months;
- Publish a report about the findings of the SpamPots Project.
| Previous Reports |