CTU Hornet 65 Niner: A Network Dataset of Geographically Distributed Low-Interaction Honeypots

Description

CTU Hornet 65 Niner is a dataset of 65 days of network traffic attacks captured in cloud servers used as honeypots to help understand how geography may impact the inflow of network attacks. The honeypots were placed in nine different geographical locations: Amsterdam, London, Frankfurt, San Francisco, New York, Singapore, Toronto, Bangalore, and Sydney. The data was captured from April 28th to July 1st, 2024. The nine cloud servers were created and configured following identical instructions using Ansible [1] in DigitalOcean [2] cloud provider. The network capture was performed using the Zeek [3] network monitoring tool, which was installed on each cloud server. The cloud servers had only one service running (SSH on a non-standard port) and were fully dedicated to being used as a honeypot. No honeypot software was used in this dataset. The dataset is composed of nine scenarios: - Honeypot-Cloud-DigitalOcean-Geo-1: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-2: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-3: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-4: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-5: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-6: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-7: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-8: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files - Honeypot-Cloud-DigitalOcean-Geo-9: has 65 folders (YYYY-MM-DD), each containing 24 Zeek conn.log files and other Zeek files References: [1] Ansible IT Automation Engine, https://www.ansible.com/. Accessed on 08/28/2024. [2] DigitalOcean, https://www.digitalocean.com/. Accessed on 08/28/2024. [3] Zeek Documentation, https://docs.zeek.org/en/master/index.html. Accessed on 08/28/2024.

Steps to reproduce

This dataset used cloud server instances from Digital Ocean. For this dataset, all cloud servers have the same technical configurations: a) Operating System: Ubuntu 23.10 x64, b) Instance Capacity: 1GB / 1 Intel CPU, c) Instance Storage: 25 GB NVMe SSDs, d) Instance Transfer: 1000 GB transfer. The servers were created and configured using Ansible [1]: 1. Create an account in Digital Ocean 2. Generate a Digital Ocean API Token 3. Store the API Token in a command line variable, export DO_API_TOKEN="do_..." 4. Download the resources folder included with this dataset 5. Access the resources folder, e.g.: cd /tmp/resources/ 6. Add your SSH fingerprint as uploaded to DigitalOcean to the first ansible playbook ('ssh_keys') step_01_create_droplets.yml 7. Run the first Ansible playbook to create the droplets: ansible-playbook ansible_step_01_create_droplets.yml 9. Run the second Ansible playbook to configure the droplets: ansible-playbook ansible_step_02_configure_droplets.yml 10. Run the third Ansible playbook to configure the SSH service: ansible-playbook ansible_step_03_update_ssh_config.yml 11. IPv6 was enabled manually in the DigitalOcean droplet management console when these experiments were made References: [1] Ansible IT Automation Engine, https://www.ansible.com/. Accessed on 08/28/2024. [2] DigitalOcean, https://www.digitalocean.com/. Accessed on 08/28/2024. [3] Zeek Documentation, https://docs.zeek.org/en/master/index.html. Accessed on 08/28/2024.

Institutions

Categories

Funding

Licence