Replying to Avatar ElectronicMonkey

what do you mean by honeypot?
Avatar
Ron Stoner 3y ago

A honeypot is a server or protocol designed to mimic a real one for the purposes of capturing and analyzing network traffic for potential malicious activity. The idea is that “honeypot” relays would exist that attackers would find in public relay registries. The attacker would add the relay to their relay list and start sending malicious payloads through nostr. The attacker on their end would see “successful” events being transmitted, but in reality the honeypot is capturing, analyzing, and identifying potentially malicious pubkeys and events.

Longer term this should be a module or drop in to existing relays so that the network can continue to function as normal instead of the honeypot mimicing successful event responses. In the meantime, I wanted to build a POC so I could start testing, analyzing, and determining the best route to go to help secure the nostr network. While we have not seen any relays or data serialization issues currently, I imagine over time we will see buggy clients and relay binaries that need to be tested, identified, and patched.

Reply to this note

Please Login to reply.

Discussion

ae
bf 3y ago

This is v cool. nostr needs to be protected at all costs. Wondering what sort of analysis you running to detect malicious messages? Spam filtering ?

Avatar
Ron Stoner 3y ago

I agree! It’s regex for the proof of concept, but I plan to add the code I have in my spam detector tool to the honeypot for burst messages/other attacks and then add further detection at the packet level.

ae
bf 3y ago

When talking about packet level is that IP of poster and things like that ?

Avatar
Ron Stoner 3y ago

Somewhat - I can already pull connecting IP and headers for the relay web socket connection easily. I’m talking more about dissecting the packet contents themselves versus using regex to parse the json payload.

ae
bf 3y ago

Yes that makes more sense! Might have play around with the git repo later this week

Avatar
Ron Stoner 3y ago

Additionally - once I have a good detection system running the next organic tool would be a penetration testing tool that does things like malformed json & signatures, OWASP attacks, etc.