Flypaper--A simple Honeypot variation

Introduction

In March of 2003 I put together a setup that I've been calling my "honeypot." It isn't though and I realized that I'm creating a little confusion by calling it that.

A traditional honeypot is intended to be hacked and allow you to watch what the hacker does in other to learn about hackers and their methods. That is not what I'm doing here. My goal is to catch the packets buzzing by on the Internet. I want to see who is scanning or attacking what ports. My machine has never hosted any public service--anything that reaches it is uninvited. That's the point. I want to catch the stuff that just flys by.

So it's kind of like Internet flypaper.

That's what I'm calling it. A quick Google search for "honeypot flypaper" turned up three references that seem to be talking about the same sort of idea (1, 2, 3). It also turned up some interesting adult slang that I'm not going to get into here.

The statistics from my Internet Flypaper are automatically updated every Sunday morning, so you can see what's hitting the 'Net in my small corner.


Eventually I want to add a "How To" document here. At the moment I'm still experimenting with the setup when I have time. But I will share a few details to give you an idea and to show the amount of resources you don't need to have.

My Flypaper

Most of the hardware is junk, and all of the software is free.

  • My link is a 144/144 iDSL connection that's also my backup in case my cable modem goes down.
  • The target machine is a 486DX-33 with 32 Meg RAM running Red Hat 7.2 and THP. It logs some things to local disk, but I actually don't care. The important data is collected by the next system.
  • The sniffer machine is a Pentium 1 something or other, running Red Hat seeming or other (8, I think) and Snort and reporting to a remote MySQL database.
  • The remote database is a Dell PE 500SC PIII and it runs everything else in my environment as well. It runs Red Hat 8.