Create an Army of Raspberry Pi Honeypots on a Budget

July 30, 2014 | Aaron Shelmire

Hi! My name is Nathan Yee and I’m an intern at ThreatStream. I’m studying computer science and mathematics at the University of Arizona. Most recently, I worked on deploying a Raspberry Pi as a Dionaea honeypot for the recently announced Modern Honey Network project.

Why Internal Honeypots?

Let’s start with a plausible scenario. A colleague opens a link from an email which promises pictures of cute puppies, but it’s actually malware which installs an advanced persistent threat (APT) malware kit. Now, the attacker has access to the compromised machine and our internal network. She begins scanning the network to start the covert information gathering process and to find additional exploitable machines.

Organizations typically focus on monitoring inbound and outbound network traffic via firewalls, yet ignore internal network traffic due to the complexity involved. In the scenario above, a firewall will not protect or alert us.

By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor. Since there isn’t a good reason to interact with it (since it doesn’t do anything), activity on the Raspberry Pi is usually indicative of something roaming around our network and a possible security breach.

Why Raspberry Pi?

We wanted to use a Raspberry Pi as a honeypot because of its low profile, minimal power consumption, and most importantly, it’s CHEAP! Understandably, not everyone has a big budget to spend on monitoring things like internal network traffic. Raspberry Pi devices are cost effective, so it is realistic to add 30 network sensors, which would cost around $1,000. Imagine (and experience for yourself) how powerful it is to add this kind of tooling to your security arsenal (or your house)!

MHN + Raspberry Pi = #WINNING

When we released MHN, it included the capability of deploying four types of honeypots: Dionaea, Kippo, Snort, and Conpot. These are deployed across servers worldwide to collect a diverse set of threat intelligence indicators.

We want to make the process of adding a Raspberry Pi to an MHN system easy and painless. It is my hope I’ve been successful here. It’s as simple as running a single command. Last week I created a step-by-step tutorial with lots of pictures that covers the process from start to finish.

If you have any comments, questions, or feedback, feel free to contact us at We created the Raspberry Pi and MHN integration to collectively help others with an important, but often overlooked aspect of network security. Stay tuned for more as this project continues to evolve!

Aaron Shelmire
About the Author

Aaron Shelmire

Aaron began work in the security field after machines he was responsible for were compromised in the 2004 Stakkato Intrusions. At this point he went to graduate school at Carnegie Mellon Universities Heinz College for Information Assurance, where he currently holds an adjunct position teaching Network Security Analysis. He has been a security researcher at the Software Engineering Institutes CERT/CC initiative and Dell SecureWorks, with a focus on responding to and analyzing threat intelligence.

Get the latest threat intelligence news in your email.