Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recipe For Building a Cheap Raspberry Pi Honeypot Network

Posted by timothy on from the you-forgot-the-sledgehammer dept.

mask.of.sanity (1228908) writes "Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now a guide has been published to build a dirt cheap battalion of the devices from Raspberry Pis. "By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor," the author explained."

11 of 68 comments (clear)

  1. I don't get the hype by rebelwarlock · · Score: 4, Insightful

    It's a computer. You can do a lot of things with a computer. Why do we need an article every time anyone uses it for anything?

    1. Re: I don't get the hype by Anonymous Coward · · Score: 2, Insightful

      That may be true if everything is on a small number of networks but the raspberry pi is nice as I could but them in wiring closets all over. Right now we have net flow data for any traffic between buildings but we don't see all traffic within a building. This could let us have a honeypot in each building to get a heads up about issues.

      Right now bringing each network into our data center is impractical. As it is our virtual environment is at the maximum number of vlans it can handle so the best use of resources is to upgrade it. While we are doing that security could use these as sensors on some of the more sensitive networks or where we suspect there are issues from other (possibly nonactionable) data.

    2. Re:I don't get the hype by postbigbang · · Score: 2

      Honeypot. Flood.

      You don't get it.

      You can put these on isolated segments, VLANs, whatever but importantly: wherever in the system you want to attract the bees.

      So long as it can send even one "ouch" packet, it's done its job, saved your ass, and saved you hours looking through even great syslog managers to find symptoms of internal infections.

      Do they cost? Not much. Aren't VMs cooler to use? No, because you want them randomly everywhere, not just in your VM farms. Yes, VM honeypots are a great idea. No, you can't simply put them in a dev pool or out in the cubes. But you *can* put a pie anywhere your network has a connection, and your switch ports allow admittance. Hint.

      --
      ---- Teach Peace. It's Cheaper Than War.
  2. VMs are the way here by Anonymous Coward · · Score: 4, Insightful

    Why not buy a cheap couple of hundred dollar PC and run as many VMs as could possibly fit. Install a really old Linux distribution (or early Windows) and the resource use is small. Many honey pots with less maintenance....

  3. Re:Entrapment is so much fun is it? by Razed+By+TV · · Score: 2

    Who said anything about putting it out as bait?
    The article specifically talks about using it on an internal network.

  4. Re:Need to think about why it is being done by oggiejnr · · Score: 4, Interesting

    The aim of honeypots in this scenario isn't to bait out people but software. The first thing that a targeted piece of malware is likely to do is find other systems to infect and map out the internal network. If a computer in the accounts department is suddenly firing off CIFS requests at your honeypot it is an anomaly that should be investigated. It's much easier to find dodgy traffic if there isn't supposed to be any rather than looking for it in the corporate network as a whole.

    If it turns out it was a bored intern browsing the local network then the situation can be explained. If it was an opened dodgy e-mail or other attack vector then the machine can be wiped and connection logs gathered so that a clean-up operation can be attempted.

  5. Re:We need a Pi category so I can ignore it by rebelwarlock · · Score: 2

    Elon Musk is going to setup a 3d printed Raspberry Pi array to farm bitcoins, thus causing buzzwords to reach critical mass.

  6. Re:We need a Pi category so I can ignore it by Ol+Olsoc · · Score: 4, Insightful

    That, and Elon Musk are the two most masturbatory topics on Slashdot these days.

    From what I've seen though, there are a lot of slashdotters who have a deep-seated need to bitch about something.

    Must be 75 percent of the posts are crying about "'Nuthre rsby pie rtickle!"

    There are options for us:

    1. Don't read the article. This works surprisingly well for people not in the Fox news self-validation mode. The title usually let's us know what the subject is.

    2. Submit your own stories. You people who know what people really want to read should be able to submit articles that people really want to read

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  7. Re:We need a Pi category so I can ignore it by tomhath · · Score: 3, Funny

    Wow. Imagine a Beowolf cluster of those.

  8. real storage, active directory servers get legit t by raymorris · · Score: 2

    Let's consider the last piece of malware I dealt with. It searched the network for shared storage and did nasty things on the storage. The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible. The honeypot storage, on the other hand, gets NO legitimate traffic. Any traffic to the honeypot is worth investigation. That makes it a much more reliable way to find malware or other traffic sources that merit investigation.

    Same with the active directory, the mail server, the database ...
    Do you have any idea how much traffic a corporate mail server can get? Looking for suspicious connections is worse than a needle in a haystack. An otherwise unused machine with the mail ports open quickly flags strange behaviour for investigation.

  9. Re:real storage, active directory servers get legi by dbIII · · Score: 2

    Do you have any idea how much traffic a corporate mail server can get?

    If your network is too large to comprehend then apply an engineering solution instead of a basket weaving solution and handle things in managable chunks. Since IT folk like to pretend they are engineers (which was to my benefit when I changed careers from engineering a couple of decades back) why not act like them? Suspicious stuff coming in or out of segments is one way of tracking, does that really compare with hoping something randomly hits your honeypot? Oh that's right - if you are not tracking what is coming in and out of managable segments then hope is all you've got. Carry on then. Let's hope they don't use your fragile honeypot as a springboard to something else before you find out they are there.

    The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible.

    Take a look at how people handle security on very large compute clusters. It is not "nearly impossible". If you are not on the list you don't get in. If you try to get in you get logged. If it's too large to monitor you cut it into chunks that are not too large to monitor.