Latest news

The VARIoT honeypot network in numbers

The primary VARIoT honeypot network used for observing IoT and other attacks is based on a rewritten, updated version of the EU H2020 SISSDEN project platform. It enables rapid large scale deployments of honeypot sensors across data centers worldwide. These sensors act as OSI layer 2 tunnel endpoints to a datacenter where the actual honeypots reside. The honeypot network is built and managed by Shadowserver. You can read more on the general architecture in an overview of Shadowserver’s contribution to the SISSDEN project.

As of the 19th of November 2021, the primary network runs 260 nodes with dedicated IP addresses for a total of 821 honeypots operating at once. The nodes are located in 88 countries, 331 unique /24’s and 134 unique ASNs.

Primary honeypot network used by VARIoT (note: numbers are regionalized)
Honeypot distribution in Europe
Honeypot distribution in Europe (Zoomed-in)
Honeypot distribution in Europe (Zoomed-in)

The honeypot network runs various open source and proprietary honeypots. This includes the cowrie honeypot and a proprietary IoT/Web honeypot, developed for the VARIoT project that classifies attacks seen by CVE, CVSS, targeted vendor and product, as well as mapping observed attacks to the MITRE ATT&CK framework.

Data from these honeypots is shared with 132 National CSIRTs covering 173 countries and territories and over 6000 organizations worldwide in Shadowserver’s daily feeds via the Honeypot Brute Force Events report and Honeypot HTTP Scanner Events report.

We have also developed a malware downloader framework that attempts to automatically decode URLs being used to serve malware. These URLs will soon also be shared daily through Shadowserver’s free daily remediation feeds.

You can obtain VARIoT global statistics about infections seen by the honeypots (and other sources) on the VARIoT website hosted by CIRCL and also on the European Data Portal.

Deployment of sensor nodes in Latin America and the Caribbean is supported by the sensores.lat project together with CEDIA and FRIDA

Deployment of sensor nodes in Africa and the Indo-Pacific is also supported by the UK FCDO.

If you would like to receive IP-specific information about events seen by our honeypots on your network or constituency seen by our honeypots please sign up with Shadowserver. If you have previously signed up for Shadowserver feeds, you automatically receive this data already should any honeypot event or malware infection be registered from your network or constituency.

Related Posts

Identification of IoT Malware Infections
  • September 7, 2022

IoT malware analysis at VARIOT

This blog entry explains the system used to study a large-scale IoT malware ecosystem that integrates attacker-related features with binary
Behaviour Analysis
  • January 21, 2022

Extension of the IMT IoT

IMT has been investing in new objects representative of the smart home environment in order to keep up with increasing
The VARIoT (Vulnerability and Attack Repository for IoT) project with TENtec n. 28263632 is Co-financed by the Connecting Europe Facility of the European Union. The contents of this Web site are the sole responsibility of the VARIoT consortium and do not necessarily reflect the opinion of the European Union. Should you have any question, request or opinion, please contact us at info(@)variot(.)eu