User Guide

Everything you need to know about using Echelon for threat intelligence and network security.

What is Echelon?

Echelon is a collaborative threat intelligence platform built specifically for research and education networks (NRENs). We aggregate data from honeypot sensors deployed across universities and research institutions worldwide, providing real-time visibility into malicious activity targeting the R&E sector.

Why Use Echelon?

Incident Investigation

Check if an IP address flagged in your logs has been observed attacking other institutions. Quickly determine if you're dealing with a known threat actor or isolated incident.

Proactive Defense

Build dynamic blocklists based on attack patterns. Block SSH brute forcers, web scanners, and exploit attempts before they reach your critical systems.

Threat Intelligence

Understand trending attack vectors targeting academia. Track campaign patterns, identify persistent threat actors, and stay ahead of emerging threats.

Community Collaboration

Benefit from collective defense. When one institution sees an attack, the entire community gets protected through shared intelligence.

How to Search

Search by IP Address

The simplest way to use Echelon is to search for a specific IP address. Just enter it in the search bar.

Try it:
203.167.203.212

This will show you the IP's classification, associated tags, activity timeline, and network metadata.

Advanced Query Syntax

For more powerful searches, use our query language to filter IPs by multiple criteria.

classification : malicious
Find all IPs classified as malicious
tag : "SSH Brute Force"
Search for IPs with a specific tag (use quotes for multi-word tags)
country : China AND classification : malicious
Combine filters with AND/OR operators
last_seen : 7d
Find IPs active in the last 7 days (supports 1d, 7d, 30d, 90d)
port : 22
Filter by port number (useful for finding specific attack types)
Pro Tip
Use the dropdown filters when searching for quick access to common queries like time ranges and classifications.

Understanding Results

Classifications

Malicious
Confirmed threat. Multiple attacks observed across sensors or known threat actor.
Suspicious
Potentially hostile. Scanning or probing behavior detected but not yet confirmed malicious.
Benign
Known safe. Legitimate service or research scanner (e.g., Shodan, university security teams).
Unknown
Insufficient data. Recently observed or minimal activity recorded.

Tags

Tags describe the attack type or behavior observed. Common tags include:

  • SSH Brute Force — Repeated failed SSH login attempts
  • Web Crawler — Automated web scanning/crawling
  • Telnet Bruteforcer — IoT device exploitation attempts
  • Admin Panel Hunt — Searching for exposed admin interfaces

Activity Timelines

On IP detail pages, timeline visualizations show when specific attack types were observed. This helps identify campaign patterns and determine if a threat is ongoing or historical.

Integration: Dynamic Blocklists

Echelon provides API endpoints for each tag that return IP addresses in blocklist format. These can be consumed directly by most enterprise firewalls as External Dynamic Lists (EDLs).

Blocklist URL Format

https://echelonlabs.co/api/tag/block/[tag-slug]

Tag slugs are lowercase, hyphenated versions of tag names. For example, "SSH Brute Force" becomes "ssh-brute-force".

Example:
/api/tag/block/ssh-bruteforcer

Firewall Configuration

Configure your firewall to poll these URLs periodically (we recommend hourly). Here's how:

Note
Currently, blocklist access is unauthenticated. We recommend implementing your own caching/validation layer. API authentication is planned for a future release.