Skip to content

yahnyshc/honeypot-ebpf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
build
build
 
 
cmd/honeypot
cmd/honeypot
 
 
internal
internal
 
 
scripts
scripts
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

HoneyCon: Scaling Honeypot Networks Using Containers with eBPF

Overview

HoneyCon is a scalable, container-based honeypot framework leveraging extended Berkeley Packet Filter (eBPF) for high-performance, kernel-level traffic interception and redirection. Designed for adaptive threat monitoring and deception, HoneyCon dynamically scales honeypot instances in response to incoming network traffic, ensuring optimal resource utilization and minimal overhead.

Features

  • Dynamic Honeypot Deployment: Containers are created on demand to handle incoming malicious traffic.
  • eBPF-Powered Traffic Interception: Low-latency, in-kernel packet manipulation for real-time redirection.
  • Automated Load Balancing: Distributes network traffic across multiple honeypot instances.
  • Stateful Packet Tracking: Ensures seamless TCP session continuity.
  • Minimal Resource Overhead: Only active honeypot containers consume system resources.

Installation

Prerequisites

Ensure you have the following installed:

  • Go 1.20+
  • Docker 20.10+
  • eBPF-enabled Linux Kernel (5.10+ recommended)

Clone the Repository

git clone https://github.com/yahnyshc/honeypot-go-docker-ebpf
cd honeypot-go-docker-ebpf

Build and Run

HoneyCon includes a Makefile for streamlined development and deployment.

Build the Application

make build

This compiles the Go-based honeypot controller and generates eBPF artifacts.

Run the Application

make run

This starts the honeypot framework, dynamically intercepting and redirecting incoming traffic to containerized honeypots.

Clean Up

To remove build artifacts and terminate running containers:

make clean

Test the Application

curl ifconfig.me
curl public_ip:port

This lets you find out your public ip address and query it on port e.g 80 to get system reply.

Usage

HoneyCon listens for incoming network traffic and dynamically launches honeypots based on demand. The process includes:

  1. Packet Interception: eBPF captures and inspects packets at the kernel level.
  2. Service Lookup: Checks if a honeypot container exists for the target port.
  3. Dynamic Container Scaling: Deploys new honeypot instances as needed.
  4. Traffic Redirection: Packets are forwarded to the appropriate honeypot.

Architecture

HoneyCon consists of three main components:

  • eBPF Traffic Interceptor: Runs within the Linux kernel, capturing and redirecting packets.
  • Go-Based Honeypot Controller: Orchestrates honeypot container creation and management.
  • Dockerized Honeypots: Containerized decoy services that respond to attacker interactions.

Performance

Performance tests indicate:

  • eBPF-only packet processing: ~0.5ms per request.
  • Dynamic container creation overhead: ~1.15s on first request.
  • Load-balanced deployment: ~9,300 requests/sec handled efficiently.

Future Enhancements

  • Machine Learning-Based Attack Classification
  • Multi-Cloud & Distributed Deployments
  • Enhanced Attacker Profiling & Tracking

License

This project is licensed under the MIT License.

Contributing

Contributions are welcome! Please follow the standard GitHub workflow:

  1. Fork the repository.
  2. Create a new branch (feature/your-feature).
  3. Commit and push your changes.
  4. Open a pull request.

Contact

For inquiries or collaboration, please reach out via GitHub Issues.

About

Honeypot system with eBPF and container load balancing.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages