Full Overview about all of Deutsche Telekom's Honeypot Projects

Over the time, we developed a number of projects, which we mostly published on Github.

Parts of them were developed in “one day a month” projects, others in spare time of dedicated persons. Our “one day a month” approach from the central security organization basically means, that the security employees can work one day a month on a technical topic, aside from day-to-day business. The topic must be somehow related to their work, but does not necessarily have to be security-focussed.

Public Projects

T-Pot CE

T-Pot CE (Community Edition) is a honeypot framework, which is based on existing honeypots (glastopf, kippo, honeytrap and dionaea), the network IDS/IPS suricata, elk, ewsposter and some docker magic. A detailed description can be found in this article.

Nodepot

Nodepot is our glastopf copycat, a web application honeypot based on NodeJS. Code is available here.

NodeJS HP Feed Module

As an option for Nodepot you can use hpfeeds to share data. We wrote a small NPM module to support hpfeeds that can be found here.

EWSposter

EWSposter is a python application that collects information from multiple honeypot sensors and posts it to central collection services like the DTAG early warning system or hpfeeds.

IP-Blacklist

Our Early Warning System provides an API which can be queried for IP addresses that have been associated with malicious activities in our sensors. The Java example code for the IP blacklist is available here.

If you want to get an account for retrieving data, please contact us at cert @ telekom.de.

Notable Internal Projects

Some of our projects have been research driven proof-of-concepts that never reached a status worth publishing, others were fulfilling purely internal purposes. However, to give you an idea of what we do for the Early Warning System of Deutsche Telekom, we wanted to mention the following projects.

sicherheitstacho.eu - securitydashboard.eu

The “Sicherheitstacho” / “Securitydashboard” is our eye-candy vizualization frontend that displays live cyberattacks in a manager-friendly way. It provides live statistics from the sensor network we setup in the last years.
… but of course, we also have a more technical system suitable for some analysis. ;-)

honeypi - Raspberry PI Honeypots

We are all fans of cool technologies, and we love playing with new toys. When the Raspberry PI got released, we built a custom ISO image with preinstalled dionaea, honeytrap and kippo. We added central management to the system using puppet, and rolled out approx. 80 to the international subsidaries of Deutsche Telekom. It was our first try to create low-efffort, easy-to-deploy honeypots to broaden our sensor base.

We further added a display that provides some statistics and later a touchscreen .

As the image is configured to be used internally, we have not planned to make it publicly available.

Smartphone Honeypots

In early 2011 we setup a mobile honeypot project wich simulates the network footprint of smartphones (iOS and Android). kippo was modified so that the filesystem and commands matched those of an Android device as well as a jailbroken iPhone. Other honeypot daemons like dionaea and honeytrap were added. After attaching them to the 3G network, they were able to capture some device-specific attacks, e.g. some attack directly aiming for the addessbook and photos of the jailbroken iPhone.
Some results are documented here. Further, if you understand German, you can find some more information including a short video here.

honeydroid - Android Honeypot

As a proof-of-concept, we modified Android phones so that their cellular network stack acts as a honeypot and displays some attack statistics. And yep, there’s an app for that (kindof). German speaking people can find some more background information here.

RDP Honeypot

We are currently developing a RDP honeypot that captures RDP scans and login attempts.

CVEmapper

Another project we have been working on is the CVEmapper. The CVEmapper takes information sumitted by our EWSposter as input and tries to determine if a known vulnerability (CVE) is currently being exploited.