Andy Smith's Blog

Honeypot Hosting

  • Honeypots

As I am just a honeypot hobbyist and not affiliated with any university or the security department of any organisation I have to host my honeypots myself.

Currently I rent a VPS to do this, a low spec server with two IP addresses. This is perfectly acceptable for my needs (after all, this is just a hobby) but with my lease expiring soon I decided to hunt for the perfect "honeypot host".

There's little information on the internet regarding honeypot hosting and posts I have made in the past on forums have turned up nothing so I decided to contact the hosts directly.

Results

I contacted just over ten ISPs, specifically those that specialise in VPS hosting (because I'm cheap), here is what I asked them and what they said:

Q: Can I run a honeypot on your servers?

  • A (best)**: Yes
  • *A *(worst): No**

I didn't ask this question directly although it was discussed in the content of my email, to explain my IP address greed. I was surprised to find many hosts completely unwelcoming to the idea of having a honeypot on their servers. One response from those that weren't interested was that running one would "put a target on everyone within the core infrastructure of that facility" and this was not uncommon. Attempts to to explain that I wasn't exactly planning on sticking an unpatched Windows XP install on their systems were met with deaf ears.

Q: How many IP addresses can I get?

  • A (most)**: 5
  • A (least): 0**

Obviously quite important for the purposes of running a honeypot, this was the main piece of information I was after. Unfortunately, the maximum offer I received was 8 (with 5 usable). Further enquiries led me to find that RIPE are (understandably) quite particular about what they give IP addresses out for and who to, after allocating a block to an ISP they will perform an audit and if the ISP aren't using the addresses as RIPE see fit they won't give them any more. I contacted RIPE about this, they weren't particularly informative and mostly eager to get me to sign up as a member.

Q: Can you guarantee a good dispersion of the addresses?

  • A (best): Probably not
  • A (worst): No

Generally the answer was that this was not possible as ISPs dish out IPs as they get them and also we generally themselves allocated in blocks. Either way, there was no way for any host contacted to guarantee such a service.

The Hosts

Those hosts the responded and were happy to host honeypots are as follows:

Conclusion

All in all, fairly disappointing results, possibly hardly worth the blog post, except in the vain hope that I've missed some super host that can offer me all I need. This is by no means an extensive study but the responses are fairly bleak for those of us with limited resources, regardless, I hope this may save someone the time I expended.

Follow Up - 3 months on

This is a quick note I'm adding to the bottom of this article for anyone who finds it and wants to know what I did. I went with tagadab in the end, as they had the best value and the most IPs on offer. Furthermore their support not only knew what a honeypot was but were welcoming towards the idea of hosting them. I got 5 IPs, they were unvaried (as I had been warned) and basically x.x.x.x, x.x.x.x+1, .. , x.x.x.x+4.

The experience has been fine, the server stable and speedy and no bother for hosting honeypots. Exactly what I wanted.

For those in the position I was 3 months ago I would give a piece of advice that I would like to have tried. From the get go I chose '5 IPs', the maximum, I realised that perhaps my impatience caused me to miss a trick. What I should have done is request 1 IP, then a week later another, then a week later another and so on until I had hit my maximum. This would have almost certainly resulted in a more varied selection of IPs.

If you try this let me know how it works!

Comments !