SerIoT Honeypot

SerIoT Honeypot Live attack statistics

Description of the live SerIoT honeypot: SerIoT honeypot is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. This honeypot in particular emulates the hardware and software configuration of the device of one of the SerIoT use case partners. As the statisctics show that, over the past days, there have been several attack attmepts made to bruteforce the ssh security login mechanism that is commonly available on today’s popular IoT devices. More statistics are available from the live stream above. The honeypot was deployed as a research honeypot at TU Berlin and also IITiS in Poland for the purpose of gaining threat intelligence on attackers as they interacted with the honeypot.

Live Honeypot – Attack insights :

As seen in the live honeypot, the attacks observed over a week’s period of time have mounted our expectations. It is clear that attackers can easily break into devices and networks that are poorly configured which is the case with many IoT devices deployed worldwide today. One of the examples from the live running honeypot is as follows:

1. Attacker successfully login to the honeypot by bruteforcing the ssh security entrance mechanism. Following this is a wide variety of commands that are executed on the honeypot.

2. Downloads a malware into it. A thorough analysis of the malware file shows that this is a Mirai botnet type and that allows attacker to generate a powerful DDoS attack and is hard to recover from it.

3. Since we have configured our honeypot in a tight isolated virtual environment, the malware could not infect the systems outside this isolation zone and hence we could safely exclude this attack attempts from this Miari Botnet.

A summary of the files downloaded in this week (as of March 3rd 2021):

We have analyzed one of the files that are downloaded into the honeypot and found that it is a Mirai botnet ( (see below for more info). Information about other files and their malware can be requested from TU Berlin ( ).

Based on our observation here are some recommendations for securing a network against the attacks seen on the SerIoT honeypot:

  •     Prevent/disable root login over SSH – prevents attackers from gaining root level access if they are able to brute force a login.
  •     Limit failed SSH login attempts – This will prevent brute force attacks, by limiting their effectiveness or by blocking the IP after too many failed attempts.
  •     Use SSH Public Keys – disblae password authentication and use SSH public keys
  •     Block known IP addresses – Make use of the SDN controller to block known IPs and hence they cannot continue to attack in future.
  •     Block malicious domains and IP addresses – The domains and IP addresses that are known to contain malware should be blocked from being connected from within the network.
  •     Integrate File monitoring – By integrating it will provide greater information on the modification of files by malware, as well as alert of the presence of known malware.

SerIoT honeypot integrated into SDN framework

Description: Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. In SerIoT, we demonstrate, how a port scan attack is detected by the honeypot that is installed in a SDN controller SerIoT network. In particular it uses a light weight algorithm to detect this attack. As soon as a port scan is detected with sufficient evidence  the honeypot informs the SerIoT Routing Engine (precisely, the SDN controller) about this malicious activity. Thus, SDN controller immediately generates a new routing rule to block/prevent malicious traffic from entering the SerIoT network for a pre-defined (configurable) amount of time. Thanks to the configurable routing technology by SDN router, a honeypot can be leveraged to detect attackers in real-time and thus, safe and secure routing rules can be dynamically generated to allow/prevent traffic from any node inside or outside the network.