South Africa Chapter Status Report for 2012


The ZA chapter has faced a busy year (non HNP) work wise. As a relatively young chapter, organisation and recruitment is still very much on the agenda. Much of the work being done is also within the Security and Networks Research Group (SNRG) at Rhodes University, of which a number of us are members.

Chapter Members:

  • Barry Irwin - Current Chapter Lead
  • Matt Erasmus - in charge of the South African chapter pages on both and, although he is serving as a 'member at large' in Norway.
  • Leon van der Eijk - affiliated with ZA (Located in .NL)
  • Dennis Lemckert - affiliated with ZA (Located in .NL)
  • Benny Ketelsleger - affiliated with ZA (located in .JP
  • Etienne Stalmans - focusing on DNS based botnet detection
  • Samuel Hunter - has been doing research in visualization, and open source intelligence on inbound traffic sources

Changes to Chapter
The chapter had a bit of a shuffle in April when Matt took up an opportunity to moved to colder climes and relocated to Norway. He stepped down as chair, and remains as a member at large. Barry has taken over as Chapter Lead. Leon, Benny and Dennis, have become affiliated members since there are no Chapters in .NL and .JP respectively. Etienne and Samuel are final year MSc grad students working with Barry, who have recently going to join the working world as pentesters. There has been quite a bit of interest expressed within the ZA infosec community. More members are expected once we can work out some kinks in getting members added to the global list.

Worth mentioning is that those of us based at Rhodes University now have access to a real first-world network connection, with the Universality having finally received its link to the national research backbone in early October. This resulted in an upgrade of the Universities internet pipe form 92Mbit to 10Gbit. Working on remote systems is now a LOT more viable. The ZA chapter core infrastructure will largely be being relocated to this network in the coming months.


The following have been deployed within South African IP space

  • Several Dionaea and Kippo instances - particularly in commercial ZA DSL space
  • A number of Dionea and Kippo instances in Europe operated by Leon
  • While not strictly honeypots, there are also 6 /24 net blocks acting as network telescopes. A further two /24 blocks from recently allocated space to AfriNIC will be added in the new year. The intention is to seed some honeypot sensors into this space once suitable arrangements have been made with the parties providing bandwidth and hosting.
    Core research areas for the year have been:

      Automated processing of Network Telescope Data - driven largely by Samuel and Barry

    • OSINT and fingerprinting of incoming probe sources on our sensors - Samuel ( this has formed a significant portion of his MSc research)

    • Botnet C2 communications detection based on classification of Fast-flux and Generated domain names picked up form passively monitored DNS traces - driven by Etienne as part of his Msc research

    • Lots of back mining and tool-chain development relating to the large store of pcap data collected form telescope sensors. CaptureFoundry provide a very nice and fast means of doing quick explorations against large (30gb+) pcap datasets, using GPU offload.

    • Matt has done more tinkering with malware analysis

    Many of the details of the Research carried out have been published in the papers listed below, but some hilights are:

    • Barry found some very interesting data relating to the Conficker outbreak, while working though some historical logs, the details of which were published. Some similar analysis is currently underway around activity related to MS12-020 (RDP exploitation), which shows some surprisingly strong correlations across the five primary /24 Network Telescope blocks.
    • Etienne found some interesting correlations and fairly accurate and reliable methods for the detection of fast-flux botnet c2 infrastructure based on passive DNS query response analysis.
    • Samuel found some interesting techniques for tracking compromised hosts across dynamic IP space.
    • Considering our Major sensor system is the network telescope infrastructure, top traffic remained 445/tcp, with substantial increases in SIP, and RDP scanning. Some interesting preliminary data has been gathered on the "time to evil", relating to fresh allocations of top-level /8 network blocks by IANA, and the transition form 'bogon' to potentially valid space.

    While not a data finding, but worth mentioning we have run into some resistance from some organisations in setting up honeypots. Suggestions or success stories form other chapters would be appreciated!

    A number of papers have been written and presented. Most of these relate to work being done in other forums, but with a distinct honeypot flavor. Copies of the majority of these are available online (otherwise ask Barry)

    • Irwin BVW. A Network Telescope perspective of the Conficker outbreak. In proceedings of Information Security South Africa (ISSA) 2012, Johannesburg, Gauteng, South Africa
    • Stalmans E & Irwin BVW. Geo-Spatial Autocorrelation as a Metric for The Detection of Fast-Flux Botnet Domains. In proceedings of Information Security South Africa (ISSA) 2012, Johannesburg, Gauteng, South Africa
    • Stalmans E, Hunter S, Irwin BVW & Richter JPF. An Exploratory Framework For Non-Aggressive Response to Hostile Network Traffic. 4th Workshop on ICT Uses in Warfare and the Safeguarding of Peace. Johannesburg, Gauteng, South Africa
    • Egan S & Irwin BVW. An Analysis and Implementation of Methods for High Speed Lexical Classification of Malicious URLs. Research in Progress paper. Information Security South Africa (ISSA) 2012.
    • Irwin BVW. Network Telescope Metrics. . In proceedings of Southern African Telecommunications and Applications Conference (SATNAC) 2012. Fancourt Estate, George, South Africa.
    • Stalmans E, Hunter S & Irwin BVW. An exploratory Framework for Extrusion Detection. In proceedings of Southern African Telecommunications and Applications Conference (SATNAC) 2012. Fancourt Estate, George, South Africa.
    • Zeisberger S & Irwin BVW. A Framework for the static analaysis of Malware focusing on signal processing techniques. Research in progress. Southern African Telecommunications and Applications Conference (SATNAC) 2012. Fancourt Estate, George, South Africa.
    • Egan S & Irwin BVW. Normandy: a framework for implementing high speed lexical classification of malicious URLS. Research in progress. Southern African Telecommunications and Applications Conference (SATNAC) 2012. Fancourt Estate, George, South Africa.
    • Nottingham AT, Irwin BVW. (2012) CaptureFoundry: a GPU accelerated packet capture analysis tool. SAICSIT 2012, Pretoria, South Africa
    • Irwin BVW. Botnet Identification and Remediation. BruCon 2011, Vrije Universiteit Brussel, Belgium
    • Irwin BVW. Sun Tzu and the honeypot : Military wisdom for Cyber Offense and Defense. Keynote presentation.
      BSides Cape Town, University of Cape Town. 2011
    • Irwin BVW. A framework for the application of network telescope sensors in a global IP network.

    A couple of other papers are underway, and should appear in Early 2013. Samuel and Etienne should have their respective MSc theses, both with themes strong related to HNP, published in early 2013.

    Primary Goals for 2013 are:

    • Further formalization of membership, roles and structure
    • Consolidated monitoring infrastructure
    • Regular fully automated report generation, and publishing
    • Deployment of some of the research tools in production and to a wider audience.

    Feedback received form discussions within the ZA infosec community is positive, and we look forward to growing membership, deployment infrastructure and awareness of the HoneyNet Project within Southern Africa in the coming year. There are several interesting projects lined up which some of Barry's postgraduates will be exploring ion 2013.