Intrusion Detection System and CSIRT.CZ
IDS (Intrusion Detection System) detects unauthorized access to it and captures the information about the machines from which the attempts for connection were made. One such a system is operated by CSIRT.CZ in cooperation with CESNET association.
In cooperation with CESNET Association we operate a system for detection of suspicious behaviour of systems connected to the Internet. IDS (Intrusion Detection System) detects unauthorized access to it and captures the information about the machines from which the attempts for connection were made. IDS operated on a LaBrea platform which is distributed under the GPL Licence. LaBrea uses address blocks that have not been assigned on the Internet yet. Therefore, 'healthy' machines have no reason to connect to such addresses. The system pretends that on these addresses are running regular functional machines and responds to connection attempts over TCP and ICMP echo (ping). IDS is trying to hold the communication as long as possible so attackers or infected machines can not do any harm elsewhere. This type of honeypots have a low level of interaction and therefore we are unable to detect what may be the reason for the connection. It might be infected computer with malware or user's typing error in IP address while making e.g. SSH connection or it might be part of security research. If you're not aware that communication to our honeypots took place we recommend to check the system's integrity and run the scan on malware's presence. If you are working on security research or for other reasons do not wish to receive these e-mails, please contact us at ids@csirt.cz. If we notice any suspicious attempts for connection from specific IP addresses, we inform the administrators of the network to which these IP addresses are assigned to. We do so from an e-mail address ids@csirt.cz.