This content originally appeared on DEV Community and was authored by MaxHagl
Curiosity about real-world cyberattacks-like how huge botnets for DDoS attacks form-pushed me beyond the classroom. The only way to really learn was to spin up my own honeypot and watch the attackers come at me.
To reach my goal, I started out with Cowrie, then later moved on to Dionaea and integrated everything with Splunk + Tailscale. The first priority was security, so I moved the SSH port into the 53,000 range and set up Tailscale VPN to give my laptop a stable IP and restrict access.
I began with small Cowrie experiments, which went surprisingly smoothly aside from some networking and config hiccups. That success gave me the confidence to step up to Dionaea — a bigger challenge. Permissions became less of a roadblock thanks to what I’d learned with Cowrie, but getting Dionaea to log in JSON format was a real struggle. After a lot of trial, error, and research, I finally got it working.
Once I had Dionaea running, the real fun began: data collection. Within days, I was logging a steady stream of attacks—everything from brute-force attempts to malware samples trying to exploit outdated services. It was eye-opening to see just how fast and persistent attackers are, even against a small target.
{"connection": {"protocol": "httpd", "transport": "tcp", "type": "accept"}, "dst_ip": "172.18.0.2", "dst_port": 80, "src_ip": "37.187.181.5x", "src_port": 37228, "timestamp": "2025-08-20T00:20:20.528509"}
{"connection": {"protocol": "SipSession", "transport": "udp", "type": "connect"}, "dst_ip": "172.18.0.2", "dst_port": 5060, "src_ip": "97.78.124.17x", "src_port": 5060, "timestamp": "2025-08-20T00:23:26.750827"}
{"connection": {"protocol": "httpd", "transport": "tls", "type": "accept"}, "dst_ip": "172.18.0.2", "dst_port": 443, "src_ip": "80.82.77.20x", "src_port": 13527, "timestamp": "2025-08-20T00:35:28.323732"}
Raw logs by themselves weren’t very useful, so I brought Splunk into the workflow. Building dashboards let me visualize which IP ranges were hitting me, what ports they targeted, and how activity changed over time.
Splunk dashboard showing top attacked ports
Suddenly, the noise of thousands of lines of logs turned into patterns I could actually understand.
Splunk dashboard showing top attacking IPs by country
From there, I started experimenting with machine learning models to classify traffic and spot anomalies. The results weren’t perfect, but the process taught me how difficult and important feature selection, data labeling, and validation are in security.
Through all of this, I didn’t just sharpen my technical skills—I learned persistence. Every config error, every broken dependency, and every weird edge case forced me to dig deeper, troubleshoot smarter, and keep going until I found a solution.
In the end, the project gave me a window into the real threat landscape, plus the confidence to tackle harder problems going forward.
This content originally appeared on DEV Community and was authored by MaxHagl