Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[Plumbercon/Ninjacon] CSN.OR.AT Community Sense Net – Honeypot+

CSN.OR.AT Community Sense Net – Honeypot+

Florian Eichelberger


Since Clifford Stoll created the first honeypots in 1989 to safely investigate attacks to computer systems, honeypots have been all around. Although they have been refined and extended, fundamental problems in either attack coverage or visual representation have been plaguing those systems. CSN.OR.AT was an ISPA funded project to address those two issues and provide the necessary information and software to build the honeypot+ discussed in this talk.

Project is now renamed to Honeypot++

Project was started and sponsored by ISPA (Internet Service Provider Austria)

The project tries to be more user friendly and business friendly using open sources reporting engines to allow for more graphical representation of the information.

The infrastructure uses VPN to communication back from the Honeypot to a central station.

100% based on open-source software

  • Amun Honeypot
  • Python
  • Debian
  • Snort IDS
  • Surfnet IDS

Includes an SMTP honeypot. The domain exists, but not listed anywhere. This means that any incoming email is considered malicious. The SMTP honeypot is written in Python.

Many of the attacks seen are VERY outdated (e.g. Symantec buffer overflows). Most examples provide links to malicious websites instead of sending actual exploits through emails (which are usually filtered).

Most attacks originate from :

  • China
  • Russia
  • Ukraine
  • Malta
  • Bulgaria
  • Austria
  • ….

Statistically, the top 3 attacks seen are :

  • TR/Crypt.XPACK.Gen
  • TR/Dropper.Gen
  • WORM/RBot.147456.27

Most exploits are for DCOM/LSASS/ASN.1 failures in Windows systems. Most of these flaws have been patched by Microsoft for years, but are still being exploited.

Statistical and Top-Lists are provided in XML format from the homepage.

Malware samples are available on request, for research purposes

Newly added service


Provides a search for IP of MD5… more searches comming

  • MD5 of malware sample checks against the CSN database of seen malware
  • IP search provides a check if attacks against the honeypot have been seen from this address

Future Outlook

  • More sensors
  • Integration of high interaction honeypots
  • Install a sensor, get the reports for free –> take part in the project
  • Possible interaction with DShield

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/57
  • Twitter – Florian Eichelberger –> http://twitter.com/florensik
  • Community Sense Net –> http://csn.or.at
  • Community Sense Net Search –> http://search.csn.or.at
  • Eurotrash MicroTRASH interview –> MP3
  • Amun Honeypot project –> http://amunhoney.sourceforge.net/
  • SURFids –> http://ids.surfnet.nl
  • %d bloggers like this: