Icarus Project Update

I last wrote about Icarus when it was first released a year ago.

Icarus is a honeypot project that pretends to be a Microsoft Exchange and File Services server running various common services. My AbuseIPDB profile contains a summary of all IPs I’ve caught using Icarus. It’s not uncommon to see China, Russia, and even the USA attacking the honeypot here though virtually every country appears on the list.

While the original project only covered email, I have since added SNMP and a command line GUI called Curses. SNMP attracts very little attention so hasn’t born much fruit. Curses, however, was a challenge: programming GUIs are notoriously difficult but Python makes Curses easy and fun to use.

I added logging to collect attackers’ details which can be especially useful if you are not using AbuseIPDB because not all organizations can send this information externally. Flipside, the contribution to AbuseIPDB is very valuable to the community. I also wrote a DockerFile to automatically build the honeypot inside a Docker container which can prevent issues of hackers breaking into the honeypot if it is vulnerable.

The most recent addition was CIFS/SMB and FTP and it inspired a drastic increase in the number of attackers. The project has grown from a basic framework into a feature rich honeypot. Though none of the add-on services were planned, they each bring a new element of complexity and attention to Icarus.

My main goal was to learn Python and Git so I consider it a success. I am using the knowledge gained from Icarus on other new endeavours, for example I have created a scanner to run through LARG*net’s 250,000 IP addresses looking for attackers. It takes 9 days to complete a single run but the synergies with Icarus will help alert our membership if they are attacking anyone.