Honeypot as a Service
haas.nic.cz> You install and run the HaaS proxy application, downloadable from our website
Said website is a GitLab repo without a release artifact in sight, so I guess “downloadable” means you can download the source code, compile it yourself, and figure out how to set it up on your own.
Sure makes it easy to join...
This is great, but why not join forces with Project Honeypot? https://www.projecthoneypot.org/
If a honeypot is widely used, won't scammers just detect the honeypot? or even just detect latency from their connection being proxied elsewhere?
You are giving these script kiddies far too much credit.
The authors of the tools they use may try to implement honeypot detection, but that's fruitless cat & mouse game, and to what end?
Assuming "honeypot" based on latency is a fool's errand because many legitimate things can induce latency.
Targeted attacks will eventually figure out the honeypot, though may trip over it a bit and create some noise. Hopefully this causes someone to look at the attacker. This can also be useful forensic data to provide to the authorities.
Bots doing initial discovery won't figure it out. I have the same bots trying to log into my SFTP server today that have been trying for years. It's not even a honeypot. I literally create accounts for all the bots with a null password in hopes they one day upload something neat.
I wrote my dissertation using honeypots and in VoIP you can actually act as a real system and pretend you have been hacked by emulating real system behavior, in this case PSTN. Most of the scammers wouldn't dare to check each system as they normally attack ranges of ip addresses
> won't scammers just detect the honeypot
It's fairly difficult to detect a well-made honeypot.
>even just detect latency from their connection being proxied elsewhere
Not if the attacker is legitimately placed far away from you. Also, from my experience these bots have very large timeouts set.
This submission is a better honeypot than the software link it points to. It has not been updated (latest blog entry 19/02/2018, latest code release Jul 30 2018).
Honeypots are high maintenance, or easy detectable.
Better example (disclaimer, I might have had something to do with this when it was being developed) is the DT Honeypot initiative.
Website: https://sicherheitstacho.eu/start/main
Code (Deutsche Telekom AG Honeypot Project on 01 Apr 2019): https://dtag-dev-sec.github.io/
This is a great early detection mechanism for malware.
Providers like Crowdstrike https://www.crowdstrike.com/ already aggregate results of malware scans for customers.
This is different because it is National CSIRT of the Czech Republic and because it is a honeypot, it will let the attacker use more commands.
Self plug: founder at https://www.avesnetsec.com and launching something like this as a SaaS-offering very soon - doing limited access trials right now and expect full launch in 4 weeks' time.
Some of the comments here around usability echo our early customer feedback very much - which is why we want to be as smooth on the plug and play side as possible.
> "Your computer stays safe because all communication is redirected to our server."
Won't they see the packets hopping to other devices via a command like 'traceroute'?
Depends on what networking layer they're proxying. Layer 4 with something like PROXY protocol and it's not as easy to tell.
Last update, 2018. Cool.