Youpot

Youpot is a novel proxy-back honeypot, mainly used to catch worms and attackers that will try to use attacked hosts as proxies for further attacks against similar devices/services.

Making a high interaction honeypot requires writing good emulation of whatever the attacker wants to attack. This ranges from hard (re-implementing a complex service) to impossible (because the way a particular service works is undocumented).

Building a pure honeypot is even harder because it requires to run a real live service, and add instrumentation to see what the attacker is doing, cleanup procedures etc.

Also we don’t know what service a worm (or other attacker) is looking for. For example if an attacker connects to telnet, we don’t know which of the thousands of possible IoT devices it wants to attack.

The youpot project works around these limitations by proxying TCP traffic back to the host that connected to it, on the same port. The worm will get exactly the service it wants, on the platform it wants. And there is no further harm done: the attacker already attacked this device.

For many protocols, even proprietary ones, no prior protocol knowledge is needed. We can simply record the traffic. Some protocols will need a helper to MiTM it like for example TLS or SSH.

The implementation is here:
https://github.com/sq5bpf/youpot

README.md has additional info how to install Youpot and how to use it.

If you want to cite this work, please use the CITATION.cff file in this repository.