Hello again,

I’ve been enjoying my winter holidays for the last few weeks and got sniped by the blog post How I Reverse Engineered a Rust Botnet and Built a C2 Honeypot to Monitor Its Targets. The post talks about running a Docker API honeypot and how the author caught an interesting malware sample.

I got sniped not only due to the fun part of infiltrating the botnet, but the excuse of writing my own Docker API honeypot. Not because I’m particularly good or experienced in writing honeypots, but because I’ve been longing for an excuse for a side project which allows me to write some gruesome, god awful, terrible and unmaintainable Go code.

My newly found goal was to write a low interaction honeypot that simulates an unauthenticated Docker API. Before writing the honeypot I had to figure out how the Docker API actually behaves when interacting with it. To do so, I spent some quality time reading parts of github.com/moby/moby and the API docs.

I kept on iterating and deploying the honeypot while closely monitoring and recording incoming requests. When an endpoint was hit that resulted in a 404 error I went back to the API docs to read up on the endpoint and started implementing the endpoint and redeploying the honeypot. By repeating this process I gradually built up just enough functionality to mimic the Docker API.

After a few days of monitoring the honeypot with a crude tail -f /the.log, I tried implementing a monitoring stack for some eye candy. Since I’m not particularly experienced with any particular monitoring stack, I decided to steal get inspired and ended up with a combination of prometheus, promtail, loki and grafana. Here’s a snapshot of what the dashboard looked like during testing:

I’ll update this blog post (hopefully soon) with the most interesting things I’ve observed.

’til next time.

Update: 2026-01-09