After a previous post I decided to create some honeypots to compare the data from diffrent ISPs. My first tries didn’t get me far I created some nginx instances that would reply with a 200 status, but without any real code the bots wouldn’t do much more than sending the first request.
So I decided to move to real honeypots with more services that just http. So yesterday night I left a few honeypots running on ports 21, 22, 80, 1433, 3306 and 3389 the objective wasn’t to deceive a human opponent but just to try it out against automated bots. When I checked back the log I was surprised in just 10h all the services had been hit more that 20 000 login attempts.
Besides the honeypots I was running tcpdump in order to record every attempt and be able to do a later analises on the connections that didn’t intend to bruteforce but to use exploits instead but before that I was able to extract some stats from the captures.
Below is a list of all the countries of origin order by the number of packets received.
| Country | Packets |
|---|---|
| Korea, Republic of | 29528 |
| China | 2383 |
| Belgium | 666 |
| Russian Federation | 116 |
| Vietnam | 89 |
| Czech Republic | 59 |
| United States | 22 |
| Netherlands | 21 |
| Italy | 14 |
| Mexico | 12 |
| India | 11 |
| Argentina | 10 |
| Ecuador | 9 |
| Japan | 9 |
| Taiwan | 7 |
| Poland | 6 |
| Spain | 4 |
| Sweden | 3 |
| Germany | 2 |
| Hong Kong | 2 |