The attack dynamics had significantly changed since DShield went into service 8 years ago. Web attacks are becoming more popular these days. The SANS ISC is releasing an alpha version of the DShield Web Honeypot today to extend DShield's visibility into this traffic. The intention of the web honeypot project is to harness multiple capture points run by volunteers for the collection of potentially harmful traffic on the web.
The goal of the Web honeypot project is inline with the original DShield project, the data collected through the sensors feed the Dshield web database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. In addition, we would like to use the honeypot data to measure web attack prevelance and find objective metrics to recommend protective measures. The data collected will also be shared with the research community upon request later this year and be made available in aggregated form via the DShield website.
Web site attacks had been on SANS' and ISC's radar screen for a long time. SANS had been offering education courses (DEV319, DEV422, DEV538, DEV542) on the defending and testing applications. The ISC produced diaries on multiple massive attacks on web applications. The addition of DShield Web Honeypot project is the next logical step in our effort in helping the community with defending from the web attacks.
The Web Honeypot project is led by Jason Lam and Johannes Ullrich with code contributed from various individuals. The project details and honeypot itself can be downloaded from here.