Chaff

We don't block hackers, we drown them in lies. Watch real worldwide attacks on our honeypot live, where every stolen secret is a Honey-Encrypted fake. Brute force becomes useless.

Comment

Inspiration

Every server you put on the internet gets brute-forced within minutes — we watched it happen to ours. Traditional defense is all about building a higher wall, and walls eventually fall. So we asked a different question: what if breaking in gained the attacker nothing? That led us to Honey Encryption (Juels & Ristenpart, 2014), where every wrong key decrypts to a believable fake — and to the idea of wiring it to a real honeypot and showing the whole battle, live, on a globe.

What it does

Chaff is a live cyber-deception battlestation. It runs a real honeypot exposed to the internet and visualizes the actual brute-force attacks hitting it from around the world on a real-time 3D globe. The "vault" attackers are trying to crack is protected by Honey Encryption: every password — right or wrong — decrypts to a different, completely believable server credential. So brute force becomes useless. An attacker can crack the vault a million times and never know whether any result is real. We even drown them in fakes on demand ("Run dictionary attack"), and let anyone in the room try to "Spot the Real Secret" from a lineup of decoys — nobody can, because there is genuinely no signal to distinguish them.

How we built it

  • Honeypot (real): a Cowrie SSH/Telnet honeypot on a Google Cloud VPS. We redirected port 23 → Cowrie with iptables, and within minutes real bots worldwide began hammering it.
  • Backend: Python + FastAPI tails Cowrie's JSON log, geolocates each attacker IP with MaxMind GeoLite2, and streams events to the browser over WebSocket. A built-in simulator is the offline fallback.
  • Frontend: React + Vite + react-globe.gl (three.js) — the live globe, leaderboards, and the interactive vault.
  • Crypto core: a Distribution-Transforming Encoder (DTE) maps the real secret into a uniform 40-bit seed space; we derive a pad with PBKDF2-HMAC-SHA256 and store ciphertext = (seed + pad) mod 2^40. Decrypting with any key yields a valid seed → a believable credential; only the real password recovers the truth. It's unit-tested.

Challenges we ran into

  • A free 1 GB VM kept OOM-crashing during installs until we added swap.
  • Honey Encryption only works cleanly when the decoy space has a known distribution. We redesigned the DTE around server credentials (service / host / user / secret) over a power-of-two seed space, so wrong keys map to uniform, statistically indistinguishable fakes.
  • Real attacker input is messy — it included profanity and protocol junk — so we added a profanity mask, and a LIVE / SIMULATED indicator (+ a /api/source endpoint) to prove on-screen the data is genuinely from the honeypot and to catch when a misconfigured env var silently fell back to the simulator.
  • Cross-platform polish: flag emoji don't render on Windows, so we bundled a Twemoji flag font; we also localized the earth texture so the demo runs fully offline.

Accomplishments that we're proud of

  • It's real, end to end — real attackers, real geolocation, real cryptography. Not a mock-up. A pulsing LIVE badge and a /api/source check prove it.
  • We implemented Honey Encryption ourselves (DTE + PBKDF2), not a wrapper, with a passing test suite that verifies the core property.
  • The "you can't tell which is real" moment lands in five seconds — and it's mathematically true, not theater.

What we learned

  • Honey Encryption in practice: the hard part isn't the cipher, it's designing a DTE so that wrong keys yield a plausible distribution, not garbage.
  • Just how relentless the internet is — the globe filled with real Telnet brute-force within minutes of going live.
  • Deception is a legitimate, underused defensive posture: the strongest protection isn't only a taller wall — it's making the prize behind it worthless.

What's next for Chaff

  • AI-assisted analysis: feed captured attacker command sessions to an LLM to label intent (crypto-miner, botnet enrollment, recon).
  • Richer honey-encrypted loot: SSH private keys, .env files, database dumps.
  • Beacon decoys: detect when a stolen fake credential is later used elsewhere, turning the deception into an early-warning tripwire.
  • A multi-honeypot fleet feeding a shared threat-intelligence map.

Built With

Share this project:

Updates