About

CTU Hornet 65 Niner is a dataset of 65 days of network traffic attacks captured in cloud servers used as honeypots to help understand how geography may impact the inflow of network attacks. The honeypots were placed in nine different geographical locations: Amsterdam, London, Frankfurt, San Francisco, New York, Singapore, Toronto, Bangalore, and Sydney. The data was captured from April 28th to July 1st, 2024.

The nine cloud servers were created and configured following identical instructions using Ansible [1] in DigitalOcean [2] cloud provider. The network capture was performed using the Zeek [3] network monitoring tool, which was installed oneach cloud server. The cloud servers had only one service running (SSH on a non-standard port) and were fully dedicated to being used as a honeypot. No honeypot software was used in this dataset.

The dataset is composed of nine scenarios:

• Honeypot-Cloud-DigitalOcean-Geo-1: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-2: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-3: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-4: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-5: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-6: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-7: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-8: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files
• Honeypot-Cloud-DigitalOcean-Geo-9: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files

Experiment Information

Administration IPs: 88.103.231.202
Administration Port: 902
Instance OS: Ubuntu 23.10 x64
Instance Capacity: 1GB / 1 Intel CPU
Instance Storage: 25 GB NVMe SSDs
Instance Transfer: 1000 GB transfer

Honeypots Information

Citation

To cite this work: Valeros, Veronica; Garcia, Sebastian (2024), “CTU Hornet 65 Niner: A Network Dataset of Geographically Distributed Low-Interaction Honeypots”, Mendeley Data, V1, doi: 10.17632/nt4p9zsv5k.1

Steps to Reproduce

This dataset used cloud server instances from Digital Ocean. For this dataset, all cloud servers have the same technical configurations: a) Operating System: Ubuntu 23.10 x64, b) Instance Capacity: 1GB / 1 Intel CPU, c) Instance Storage: 25 GB NVMe SSDs, d) Instance Transfer: 1000 GB transfer.

The servers were created and configured using Ansible [1]:

1. Install Ansible
2. Create an account in Digital Ocean
3. Add an SSH key to the Digital Ocean account
4. Generate a Digital Ocean API Token
5. Store the API Token in a command line variable, export DO_API_TOKEN=“do_…”
6. Download the resources folder included with this dataset
7. Access the resources folder, e.g.: cd /tmp/resources/
8. Add your SSH fingerprint as uploaded to DigitalOcean to the first ansible playbook (‘ssh_keys’) step_01_create_droplets.yml
9. Run the first Ansible playbook to create the droplets: ansible-playbook ansible_step_01_create_droplets.yml
10. Run the second Ansible playbook to configure the droplets: ansible-playbook ansible_step_02_configure_droplets.yml
11. Run the third Ansible playbook to configure the SSH service: ansible-playbook ansible_step_03_update_ssh_config.yml
12. IPv6 was enabled manually in the DigitalOcean droplet management console when these exeriments were made

References

1. Ansible IT Automation Engine, https://www.ansible.com/. Accessed on 08/28/2024.
2. DigitalOcean, https://www.digitalocean.com/. Accessed on 08/28/2024.
3. Zeek Documentation, https://docs.zeek.org/en/master/index.html. Accessed on 08/28/2024.