A colleague brought the HoneyMap to my attention, and I thought it was pretty fascinating. It is a visualization of attacks against The HoneyNet Project’s sensors, which are distributed honeypots world-wide. One reason that I wanted to give it some attention is because you can contribute to this project by creating a honeypot system on your network and adding more data to the HoneyMap.
Click the HoneyMap link or thumbnail below, to view the real-time map in action:
Basically, this is how it works:
Internally, the Honeynet Project uses hpfeeds for collecting data from honeypots and sharing it across different analysis components and data storage setups. Thus, we added hpfeeds support to our map back-end and translated all IP addresses of our events to geographic locations through the MaxMind IP geolocation.
Got that? Mark Schloesser’s post explains that HoneyProject members deploy the honeypots on their own infrastructure in many different countries and when events are triggered, the sensors push the data to the hpfeeds system. He also describes the kind of attacks that the data represents, which is not necessarily a person sitting down at a computer and targeting a system, but instead “automated scans and attacks … from infected end-user computers or hijacked server systems.”
For all the details of the HoneyMap and to find out how you can join The HoneyNet Project, see the full post from Schloesser, where he answers many of the most frequently asked questions about the project.