What we learned from 63,000 attacks in 12 days on APNIC Honeynet sensors at University of Dhaka

When we deployed the APNIC Honeynet sensor at the University of Dhaka, we anticipated attack traffic but weren't prepared for the scale: Over 63,000 attacks from 4,262 unique IP addresses in just 12 days. This experience provided valuable insights into the threat landscape facing educational institutions in our region.

This article shares our deployment experience, key findings, and why threat intelligence gathering deserves a place in every network operator's security toolkit.

Understanding the APNIC Honeynet

The APNIC Honeynet Project is a distributed honeypot initiative that started in 2018. A honeypot acts as a decoy system, deliberately presenting vulnerabilities to attract malicious traffic while keeping production systems safe. The collected data contributes to regional threat intelligence in the form of actionable feeds to APNIC's DASH and partners, including the ShadowServer Foundation and national Computer Emergency Response Teams (CERTs). In short, the data collected provides the starting point for remediation and deeper analysis by security teams.

While standalone honeypots like Cowrie, Dionaea, or Kippo are excellent tools, they typically require extensive manual configuration, keep data isolated, and lack regional threat context.

The APNIC Honeynet builds on proven technologies, primarily Cowrie for SSH/Telnet interaction. A Docker-based architecture with automated configuration makes it simple to deploy APNIC Honeynet sensors, with expert support from APNIC's security team and operator community.

APNIC's infrastructure aggregates data from all sensors, and consistent configuration enables meaningful regional comparisons.

Why a Honeypot at the University of Dhaka?

Universities face unique security challenges. We administer our IP address spaces, have diverse user communities, valuable data, and limited security resources relative to the attack surface. Understanding real threats targeting our infrastructure is essential, and contributing to regional security efforts aligns with our institutional values.

I first came across the APNIC Honeynet project during the SANOG 40 Network Security/DNSSEC Workshop held in Colombo, Sri Lanka. The concept of collaborative threat intelligence immediately resonated - an opportunity to contribute to regional security while gaining practical insights into our own threat landscape.

Laying the technical foundation with expert support

At the Phoenix Summit 2025 Workshop on Cyber Threat Hunting with Honeypots, I met Adli Wahid, APNIC's Senior Internet Security Specialist. His practical insights and direct support made deployment straightforward.

To run the sensor container, we used a Ubuntu Virtual Machine (VM) with 1CPU core and 2GB RAM to host the sensor, with 20GB of storage for log retention. The VM was given a dedicated public IP address, with inbound traffic to port 22 (SSH) and 23 (TELNET) left open.

Using Docker and Docker Compose with automation reduced manual configuration from a potential full day to under an hour. Altogether, we spent between two and three hours getting up and running.

The installation process had five steps:

1. Coordination: Connected with APNIC and Adli Wahid.
2. Infrastructure: Set up dedicated VM with Docker.
3. Automated Setup: Ran the APNIC Honeynet sensor setup script configuring containers, honeypot parameters, network mappings, and backend connectivity.
4. Verification: Confirmed sensor communication with APNIC infrastructure.
5. Dashboard Access: Received monitoring credentials.

What we learned from turning the sensor on

In just twelve days, our sensor was hit 63,247 times by 4,262 unique source IPs, including five unique IP addresses from Bangladesh. Fourteen of those led to malware download attempts. The time to first attack was less than one hour, and we averaged ~5,270 attacks every single day!

After just twelve days running the honeypot sensor, here is what we learned:

1. Discovery is immediate. Within one hour, we detected the first scanning attempts. Any exposed system will be found and probed within minutes - modern attack infrastructure makes this inevitable.

1. Basic security remains critical. Significant attacks used default or common credentials. Strong passwords, regular updates, and disabled unnecessary services remain critically important.
2. Real data informs better decisions. Observing actual attack patterns enabled us to prioritize security improvements, update firewall rules intelligently, and enhance staff training with concrete examples.
3. A safe environment is the best place to learn about threats. The honeypot provides invaluable hands-on learning for our security team without risking production systems.

What you can do to stay ahead of cybersecurity threats

Twelve days and 63,247 attacks later, we are confident recommending some steps you can take to protect your own networks.

Strong security fundamentals are the best place to start. Many of the attacks we observed fail against basic security practices. And if you're not monitoring continuously, start. Threats operate 24/7. Continuous monitoring through Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) platforms, is essential.

When you're confident with the cybersecurity foundation you've laid, consider deploying threat intelligence sensors, like honeypots, to provide visibility into threats targeting your address space. The APNIC Honeynet Project makes this accessible even if you have limited resources available.

Where possible, use concrete examples for training. Real attack data makes security training more engaging and effective. Finally, cybersecurity is a group effort, so consider participating in community efforts. Shared data protects the broader regional community.

Proactive monitoring and continuous vigilance

We plan to continue operating our sensor long term, contributing to APNIC's regional threat intelligence while analysing patterns, correlating data with production logs, and sharing findings with other educational institutions in Bangladesh.

Our APNIC Honeynet deployment provided clear visibility into the threat landscape facing our university. Over 63,000 attacks in 12 days demonstrate that cyber threats are active, persistent, and highly automated.

For network operators considering threat intelligence initiatives, honeypots offer practical insights with reasonable resource requirements. The APNIC Honeynet makes participation accessible while contributing to regional security awareness.

The evidence is clear: Proactive monitoring and continuous vigilance are essential components of modern network operations. Every exposed system will be discovered and tested by the automated attack infrastructure. The question is whether you're watching when it happens.

We're grateful to be part of this community effort and look forward to contributing to regional security through continued participation. Organizations that are interested in participating in the APNIC Honeynet project can find more information on the APNIC website or contact APNIC directly. The project welcomes participants from across the Asia Pacific region.

Special thanks to Adli Wahid, whose expertise and automation scripts made this deployment straightforward and successful.

Md Mahedi Hasan serves as Network Engineer (Lead System & Cybersecurity) at the University of Dhaka's ICT Cell, where he has the privilege of supporting the digital infrastructure for over 50,000 users.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.