Costa Rican Honeynet Project

Bi-annual Status Report

May, 2007

1  Deployments

1.1  Current technologies deployed

A Honeynet based upon Roo CDROM. The honeypots are:

2  Findings

2.1  Highlight any unique findings, attacks, tools, or methods.

None at this time.

2.2  Any trends seen in the past six months.

Most of the attacks we have seen are related to port scanning (TCP 135, 139 and 445) and attacks to MS-SQL (TCP 1433). Most of these attacks should be performed by bots, as we do not have any SQL service running.
We have also seeing FTP/SSH brute forced attacks but none of them were succesful.

3  Lessons learned

3.1  What new positive things can you share with the community, so they can replicate your success?

None at this time.

3.2  What new mistakes can you share with the community, so they don't make the same mistakes?

Taking into account the Chinese Honeynet Project advice about having good relations with ISPs, we did not pursuit this. So, we have a limited IP space and test conditions in order to implement further scenarios such a GDH node.

3.3  Are there any research ideas you would like to see developed?

None at this time.

4  Technology

4.1  What tools or functionality are we lacking, what do we need to work on?

None identified.

4.2  What new tools or technology are you working on?

None at this time.

4.3  Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?

We do not have any new tool to integrate.

5  Papers and presentations

5.1  Are you working any papers to be published, such as KYE or academic papers?

We are working on introductory papers to raise awareness on our country about Honeynets and its roll on network security. In order to accomplish this, we are working on papers showing statistics about the attacks and trends seen on Costa Rica's Public IPs.
We are trying to publish these papers on IT related magazines and present them on network security seminars.

5.2  Are you looking for any data or people to help with your papers?

No, as the papers are no that deep, technically speaking.

5.3  Where did you publish/present honeypot-related material?

None at this time.

6  Organizational

6.1  Changes in the structure of your organization.

The Costa Rica's structure has not changed since we apply for the probatory membership. However, we are trying to involved more students from local universities.

6.2  Your feedback on Alliance activities.

The support we got from the Alliance has been excellent. Also the involvement of the people on several aspects, both technical as administratives ones, shows the alliance has a lot of opportunities to grow and pursuit its objectives.

6.3  Any suggestions for improving the Alliance?

None at this time.

7  Goals

7.1  Which of your goals did you meet for the last six months?

We succesfully implement our first honeynet and started gathering information about trends.

7.2  Which of your goals did you not meet for the last six months?

We could not implement a GDH node, as we could not get the necessary infrastructure (mainly enough IP addresses).

7.3  Goals for the next six months

  1. Implement a functional GDH node.
  2. Implement a honeynet in one of the local ISP's backbone network.
  3. Raise awareness on network security in our country, presenting our findings on network security seminars.