Index of /publicDatasets/CTU-Hornet-65-Niner

[ICO]NameLast modifiedSizeDescription
[PARENTDIR]Parent Directory  -  
[DIR]zeek/2024-10-09 12:02 -  
[DIR]resources/2024-08-28 15:51 -  
[ ]fig1-hornet65niner-traffic-per-honeypot-comparative.pdf2024-10-09 13:18 65K 
[DIR]duckdb/2024-08-27 10:05 -  
[TXT]README.md2024-10-09 12:01 6.1K 
[TXT]README.html2024-10-09 12:01 6.9K 
[TXT]Hornet65niner-Dataset-Summary-Table.csv2024-10-09 13:18 2.0K 

About

CTU Hornet 65 Niner is a dataset of 65 days of network traffic attacks captured in cloud servers used as honeypots to help understand how geography may impact the inflow of network attacks. The honeypots were placed in nine different geographical locations: Amsterdam, London, Frankfurt, San Francisco, New York, Singapore, Toronto, Bangalore, and Sydney. The data was captured from April 28th to July 1st, 2024.

The nine cloud servers were created and configured following identical instructions using Ansible [1] in DigitalOcean [2] cloud provider. The network capture was performed using the Zeek [3] network monitoring tool, which was installed oneach cloud server. The cloud servers had only one service running (SSH on a non-standard port) and were fully dedicated to being used as a honeypot. No honeypot software was used in this dataset.

The dataset is composed of nine scenarios:

Experiment Information

Administration IPs: 88.103.231.202
Administration Port: 902
Instance OS: Ubuntu 23.10 x64
Instance Capacity: 1GB / 1 Intel CPU
Instance Storage: 25 GB NVMe SSDs
Instance Transfer: 1000 GB transfer

Honeypots Information

Honeypot City Region IPv4 Public IPv4 Gateway Private IPv4 IPv6 Public IPv6 Gateway
Honeypot-Cloud-DigitalOcean-Geo-1 Amsterdam Europe 104.248.195.152 104.248.192.1 10.110.0.2 2a03:b0c0:2:d0::11ae:1 2a03:b0c0:2:d0::1
Honeypot-Cloud-DigitalOcean-Geo-2 Bangalore Asia 165.22.222.201 165.22.208.1 10.122.0.3 2400:6180:100:d0::993:c001 2400:6180:100:d0::1
Honeypot-Cloud-DigitalOcean-Geo-3 Frankfurt Europe 209.38.234.36 209.38.224.1 10.135.0.2 2a03:b0c0:3:d0::123c:e001 2a03:b0c0:3:d0::1
Honeypot-Cloud-DigitalOcean-Geo-4 London Europe 165.232.34.90 165.232.32.1 10.106.0.2 2a03:b0c0:1:d0::1114:9001 2a03:b0c0:1:d0::1
Honeypot-Cloud-DigitalOcean-Geo-5 New York North America 165.22.2.102 165.22.0.1 10.116.0.2 2604:a880:400:d0::1edd:8001 2604:a880:400:d0::1
Honeypot-Cloud-DigitalOcean-Geo-6 San Francisco North America 64.23.252.8 64.23.240.1 10.124.0.2 2604:a880:4:1d0::219:3000 2604:a880:4:1d0::1
Honeypot-Cloud-DigitalOcean-Geo-7 Singapore Asia 152.42.255.26 152.42.240.1 10.104.0.2 2400:6180:0:d0::41:e001 2400:6180:0:d0::1
Honeypot-Cloud-DigitalOcean-Geo-8 Toronto North America 147.182.157.27 147.182.144.1 10.118.0.2 2604:a880:cad:d0::d8b:d001 2604:a880:cad:d0::1
Honeypot-Cloud-DigitalOcean-Geo-9 Sydney Oceania 170.64.225.155 170.64.224.1 10.126.0.2 2400:6180:10:200::132:5000 2400:6180:10:200::1

Citation

To cite this work: Valeros, Veronica; Garcia, Sebastian (2024), “CTU Hornet 65 Niner: A Network Dataset of Geographically Distributed Low-Interaction Honeypots”, Mendeley Data, V1, doi: 10.17632/nt4p9zsv5k.1

Steps to Reproduce

This dataset used cloud server instances from Digital Ocean. For this dataset, all cloud servers have the same technical configurations: a) Operating System: Ubuntu 23.10 x64, b) Instance Capacity: 1GB / 1 Intel CPU, c) Instance Storage: 25 GB NVMe SSDs, d) Instance Transfer: 1000 GB transfer.

The servers were created and configured using Ansible [1]:

  1. Install Ansible
  2. Create an account in Digital Ocean
  3. Add an SSH key to the Digital Ocean account
  4. Generate a Digital Ocean API Token
  5. Store the API Token in a command line variable, export DO_API_TOKEN=“do_…”
  6. Download the resources folder included with this dataset
  7. Access the resources folder, e.g.: cd /tmp/resources/
  8. Add your SSH fingerprint as uploaded to DigitalOcean to the first ansible playbook (‘ssh_keys’) step_01_create_droplets.yml
  9. Run the first Ansible playbook to create the droplets: ansible-playbook ansible_step_01_create_droplets.yml
  10. Run the second Ansible playbook to configure the droplets: ansible-playbook ansible_step_02_configure_droplets.yml
  11. Run the third Ansible playbook to configure the SSH service: ansible-playbook ansible_step_03_update_ssh_config.yml
  12. IPv6 was enabled manually in the DigitalOcean droplet management console when these exeriments were made

References

  1. Ansible IT Automation Engine, https://www.ansible.com/. Accessed on 08/28/2024.
  2. DigitalOcean, https://www.digitalocean.com/. Accessed on 08/28/2024.
  3. Zeek Documentation, https://docs.zeek.org/en/master/index.html. Accessed on 08/28/2024.