The VARIoT honeypot network in numbers
The primary VARIoT honeypot network used for observing IoT and other attacks is based on a rewritten, updated version of the EU H2020 SISSDEN project platform. It enables rapid large scale deployments of honeypot sensors across data centers worldwide. These sensors act as OSI layer 2 tunnel endpoints to a datacenter where the actual honeypots reside. The honeypot network is built and managed by Shadowserver. You can read more on the general architecture in an overview of Shadowserver’s contribution to the SISSDEN project.
As of the 19th of November 2021, the primary network runs 260 nodes with dedicated IP addresses for a total of 821 honeypots operating at once. The nodes are located in 88 countries, 331 unique /24’s and 134 unique ASNs.
The honeypot network runs various open source and proprietary honeypots. This includes the cowrie honeypot and a proprietary IoT/Web honeypot, developed for the VARIoT project that classifies attacks seen by CVE, CVSS, targeted vendor and product, as well as mapping observed attacks to the MITRE ATT&CK framework.
Data from these honeypots is shared with 132 National CSIRTs covering 173 countries and territories and over 6000 organizations worldwide in Shadowserver’s daily feeds via the Honeypot Brute Force Events report and Honeypot HTTP Scanner Events report.
We have also developed a malware downloader framework that attempts to automatically decode URLs being used to serve malware. These URLs will soon also be shared daily through Shadowserver’s free daily remediation feeds.
Deployment of sensor nodes in Africa and the Indo-Pacific is also supported by the UK FCDO.
If you would like to receive IP-specific information about events seen by our honeypots on your network or constituency seen by our honeypots please sign up with Shadowserver. If you have previously signed up for Shadowserver feeds, you automatically receive this data already should any honeypot event or malware infection be registered from your network or constituency.