Not Your Standard Use Case: Running a Honeypot Behind a BlackRidge TAC Gateway

By Eric Wedaa, Senior SysAdmin at Marist College

Most people in the security community typically run their honeypots totally exposed to the Internet. Here at Marist College we've turned that around and decided to see what happens to a honeypot that's protected by a BlackRidge TAC Gateway. Yes, protecting a honeypot sounds crazy, but read on.

What Are Honeypots and What Is LongTail?
For those who don't know, a honeypot is a server whose sole reason for existence is to log login attempts and other network activities of the "Bad Guys" or "Blackhats". This data is then analyzed to look for patterns, and to help reinforce network security. Honeypots can be on internal networks to show if somebody is already inside your network and is trying to take control of more servers on your network, or the honeypot can be on the Internet to log attempts from outside of your business or institution.

LongTail is the honeypot reporting site and software that Marist College is using. We already have several honeypots at various colleges and residential sites in various states of exposure to the Internet, so we decided to use LongTail to demonstrate just how well the BlackRidge TAC Gateway works.

Just How Bad Are The Attacks?
As expected, the servers that are wide open to the Internet are receiving the most login attempts, and in one case received an average of more than 31,000 ssh login attempts per day.

One of our servers recorded 94,877 ssh login attempts in a single day. This is for a server that has no DNS entry, no website running on it, and the only way in to the server is through ssh. This shows that the people running the ssh brute force attacks are just scanning the Internet looking for open servers and that even if you don't advertise your server, they will find it.

Even our IPS (Intrusion Protection System) lets some ssh login attempts through. On one day we received 3,768 ssh login attempts, well above the prior average of 30 per day for the entire time that server had been up.

You can see current ssh attack statistics for yourself at LongTail Log Analysis

How Does Our BlackRidge TAC Gateway Stackup?
So how does our BlackRidge TAC Gateway stackup compared to our IPS and just being exposed to the Internet? Since we installed the honeypot and started recording our data, we have received 0 (zero, zip, nada, zilch) ssh probes and unauthorized ssh login attempts. The BlackRidge TAC Gateway allows only identified and authorized traffic through the gateway. Anonymous or unauthorized connection attempts are blocked by the BlackRidge TAC Gateway and the honeypot server's ports cannot be scanned, so the honeypot is essentially cloaked from the internet. (Full, live log data for the BlackRidge protected server).

In fact, because the BlackRidge TAC Gateway was so effective, we added three extra reporting lines to the BlackRidge reporting page.

1. Raw data before the BlackRidge protection was turned on -this page shows the ssh login attempts to the server protected by the BlackRidge TAC Gateway before the gateway was installed.

2. Raw data after the BlackRidge protection was turned on - this page shows that there is no traffic getting to the server. In fact, we added a cron job to send a message to the log to show that the server is still online.

3. Allowed inbound ssh after the BlackRidge protection was turned on. This page shows the inbound traffic that was allowed by the BlackRidge TAC Gateway. (In this case, traffic from This was done to demonstrate that we didn't just disable inbound ssh on this server.

Using ssh as an example we have shown that the BlackRidge TAC Gateways entirely protect the target system from unauthorized TCP traffic. No probes, no connections, no fingerprinting the system to see what it is. There are even options to block ICMP traffic so that the "Bad Guys" can't even ping the IP address to see if something is there. By blocking unauthenticated TCP packets, it protects not just ssh, but it protects against a wide range of network mischief like network scanning, DDOS attacks, SYN floods, lateral movement of malware, and even malicious traffic to a protected webserver.

Marist College and BlackRidge Technology have a cyber security research partnership to develop advanced cybersecurity capabilities.