Helios honeypot network
Honeypot traffic tied to proxy exits.
Helios records traffic that reaches Synthient decoy endpoints over HTTP, TLS, DNS, and Android Debug Bridge. Each capture includes the source IP, target, protocol details, timestamp, and provider attribution.
- Surfaces
- HTTP, TLS, DNS, ADB
- Ports
- 80, 443, 53, 5555
- Delivery
- NDJSON stream and bulk feed
- Attribution
- proxy_ip joins to Lookup
Start with one capture, then group related traffic.
The animation shows one observed request, similar devices using the same proxy path, and the countries and providers involved. It is a visualization of Helios records.
Helios captures live botnet traffic as it moves through a real proxy path.
Four protocols, one record format.
Helios captures HTTP, TLS, DNS, and Android Debug Bridge traffic. Each record keeps the timestamp, source IP, target, protocol fields, and provider attribution needed for review.
GET /api/v4/feeds/helio/http/streamHTTP captures
Plaintext decoys capture method, path, headers, and raw request bytes.
- Port
- 80
- Protocol
- http
- Join key
- meta.proxy_ip
Every capture shares this envelope: when it happened, the tunnel, the impersonated host and port.
Read Helios captures as NDJSON.
Teams consume Helios as long-lived NDJSON streams, one connection per protocol. Streams stay open for up to 30 minutes, so fraud, abuse, and access systems can process new honeypot traffic without waiting for a batch export.
- Format
- NDJSON
- Connection
- up to 30 min
- Surfaces
- HTTP · TLS · DNS · ADB
- Reconnect
- exponential backoff
Live stream
GET /api/v4/feeds/helio/http/streamsynthient stream helio/http --duration 5s{"timestamp":1778200137487,"domain":"ip-api.com","port":80,"proxy_ip":"195.63.23.169","provider":"popa","pool_id":"flixview_gms"}{"timestamp":1778200138991,"domain":"www.youtube.com","port":443,"proxy_ip":"217.181.88.34","provider":"popa","pool_id":"flixview_gms"}{"timestamp":1778200140233,"domain":"c2.example.com","port":53,"proxy_ip":"203.0.113.42","provider":"brightdata","pool_id":"pool-us-east"}{"timestamp":1778200141677,"domain":"api.telegram.org","port":443,"proxy_ip":"45.95.99.226","provider":"iproyal","pool_id":"pool-sea"}{"timestamp":1778200142844,"domain":"login.microsoftonline.com","port":443,"proxy_ip":"2.56.252.14","provider":"oxylabs","pool_id":"pool-eu"}{"timestamp":1778200144130,"domain":"5555/adb","port":5555,"proxy_ip":"100.64.12.3","provider":"jio","pool_id":"pool-in"}Every capture names its exit.
Observations are attributed to the proxy or VPN provider behind them and joined to the same provider, network, and risk fields the Lookup API returns. The proxy_ip is the join key.
- provider
- POPA
- network_type
- RESIDENTIAL_PROXY
- asn
- AS200373
- country
- DE
- risk_score
- 94
- action
- block
Live streams
| Method | Endpoint |
|---|---|
| GET | /api/v4/feeds/helio/http/streamLive HTTP captures as NDJSON |
| GET | /api/v4/feeds/helio/https/streamLive TLS captures as NDJSON |
| GET | /api/v4/feeds/helio/dns/streamLive DNS captures as NDJSON |
| GET | /api/v4/feeds/helio/adb/streamLive ADB captures as NDJSON |
Bulk feeds
- honeypot_http
- Hourly and daily HTTP capture snapshots
- honeypot_https
- Hourly and daily TLS capture snapshots
- honeypot_dns
- Hourly and daily DNS capture snapshots
- honeypot_adb
- Hourly and daily ADB capture snapshots
Scopes
- HONEYPOT_*_STREAM
- Real-time NDJSON streams, one scope per surface
- HONEYPOT_*_FEED
- Bulk Parquet exports, one scope per surface
ENTERPRISE ACCESS
Use Helios in an Enterprise plan.
Helios access is scoped per customer. We review the protocols, retention needs, stream volume, and support path before enabling it.