Honeypots part one

Posted by Miguel Lopes on Mon, Sep 19, 2016
In Security,

After a previous post I decided to create some honeypots to compare the data from diffrent ISPs. My first tries didn’t get me far I created some nginx instances that would reply with a 200 status, but without any real code the bots wouldn’t do much more than sending the first request.

So I decided to move to real honeypots with more services that just http. So yesterday night I left a few honeypots running on ports 21, 22, 80, 1433, 3306 and 3389 the objective wasn’t to deceive a human opponent but just to try it out against automated bots. When I checked back the log I was surprised in just 10h all the services had been hit more that 20 000 login attempts.

Besides the honeypots I was running tcpdump in order to record every attempt and be able to do a later analises on the connections that didn’t intend to bruteforce but to use exploits instead but before that I was able to extract some stats from the captures.

Below is a list of all the countries of origin order by the number of packets received.

Country Packets
Korea, Republic of 29528
China 2383
Belgium 666
Russian Federation 116
Vietnam 89
Czech Republic 59
United States 22
Netherlands 21
Italy 14
Mexico 12
India 11
Argentina 10
Ecuador 9
Japan 9
Taiwan 7
Poland 6
Spain 4
Sweden 3
Germany 2
Hong Kong 2

comments powered by Disqus