Skip to content

What is HYDRA

HYDRA is an SSH honeypot where every unknown command is processed by an LLM that generates a contextual, persistent response in real time.

Unlike traditional honeypots (Cowrie, Kippo) that rely on pre-scripted responses, HYDRA can answer any command an attacker types — including commands that have never been seen before.

Why traditional honeypots fail

An experienced attacker detects Cowrie in under 30 seconds:

Detection technique What gives it away
uname -r Returns a hardcoded, often outdated kernel version
/proc/1/cgroup Shows Docker container traces
/bin/./uname (Kinsing trick) Fails or returns different output than /usr/bin/uname
Arbitrary commands Returns errors or empty output instead of realistic data
Timing analysis Responses are instantaneous (no I/O latency)

How HYDRA solves this

  • LLM generation — llama-3.3-70b (via Groq) generates contextual responses for any unknown command. 65+ built-in commands handle common utilities natively (40 core + 25 network/process/system); everything else goes to the LLM with an LRU cache (200 entries, 5min TTL).
  • Virtual filesystem — A mutable VFS with Copy-on-Write isolation per session. See Virtual filesystem.
  • Anti-fingerprinting — SSH banner, kernel version, cgroup, auth delay — all carefully matched. See Anti-fingerprinting.
  • Personas — Three rotating high-value target simulations. See Personas.
  • PromptGuard — Silent detection of prompt injection attempts. See PromptGuard.
  • Feedback loop — Self-improving lures and prompts based on attacker behavior. See Feedback loop.

The command pipeline

Every command typed by an attacker passes through a 9-step pipeline in the CommandRouter:

graph TD
    A[Raw input] --> B[1. Sanitize]
    B --> C[2. PromptGuard score]
    C --> D[3. Alias/expand]
    D --> E[4. Split compound commands]
    E --> F[5. Detect pipes]
    F --> G[6. Classify built-in vs LLM]
    G --> H[7. Execute]
    H --> I[8. Mutate VFS state]
    I --> J[9. Log + MITRE tag]
  1. Sanitize — Normalize Unicode, strip ANSI escape sequences, handle null bytes
  2. PromptGuard — Score command for injection likelihood (0.0–1.0)
  3. Expand — Resolve aliases, expand ~ and environment variables
  4. Split — Handle ;, &&, || compound commands
  5. Pipes — Detect and chain piped commands (cmd1 | cmd2 | cmd3)
  6. Classify — Route to built-in handler or LLM
  7. Execute — Run the built-in or send to LLM with full VFS context
  8. Mutate — Apply filesystem side effects (mkdir, touch, rm, apt install)
  9. Log — Write structured JSONL event with MITRE ATT&CK tags

Side-effect registry

HYDRA tracks 25+ package installations realistically. When an attacker runs apt install nmap, the package is "installed" — subsequent which nmap returns /usr/bin/nmap, and nmap commands produce LLM-generated output. Supported packages include nmap, netcat, gcc, vim, htop, tmux, strace, gdb, tcpdump, john, hydra, nikto, sqlmap, masscan, gobuster, ffuf, and more.

Session classification

Not all sessions produce useful training data. The SessionClassifier filters traffic in real time:

Label Criteria Training?
bot_ephemeral Session < 5 seconds No
bot_exec_scanner No PTY, single exec command (e.g. uname) No
bot_dropper wget\|curl piped to sh, chmod +x, nohup pattern No
bot_recon PTY but < 3 commands, all discovery, < 20s No
likely_human PTY + > 20s + ≥ 1 non-discovery command + human signal Yes
unclassified Everything else Review

Only signal sessions (2.2% of total traffic) are forwarded to the PDX pipeline for training data generation.

Live classification

The classifier runs both in real time during the session (classify_live) and post-hoc at session end (classify_session). Live classification allows HYDRA to adjust response detail — signal sessions get richer, more detailed LLM responses to maximize engagement.

Session lifecycle

  1. Attacker connects to port 2222
  2. SSH handshake with anti-fingerprinting (banner, auth delay)
  3. Authentication accepted (any credentials — all logged)
  4. Persona selected randomly (fintech, crypto, or corp_ad)
  5. VFS fork created (Copy-on-Write from persona blueprint)
  6. Every command passes through the 9-step pipeline
  7. Each command is MITRE ATT&CK tagged + PromptGuard scored
  8. Session ends → classified as signal or noise → forwarded to PDX
  9. Feedback loop updates lures for future sessions

Graceful shutdown

HYDRA implements clean shutdown handling via SIGINT, SIGTERM, and SIGHUP signals. When shutdown is triggered:

  1. Priority 50 (business) — SSH server stops accepting new connections, active sessions are allowed to complete
  2. Priority 100 (support) — Health check server stops
  3. Priority 200 (logger) — Logger flushes and closes all file handles (last to close, captures errors from other callbacks)

The shutdown system uses an atexit registry with priority ordering — the logger always closes last to capture any errors from other cleanup callbacks.