Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Setting up Honeypots - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Setting up Honeypots

Most if not all of the handlers run honeypots, sinkholes, SPAM traps, etc in various locations around the planet. As many of you are aware they are a nice tool to see what is going on on the Internet at a specific time.  Setting up a new server the other day it was interesting to see how fast it was touched by evilness.  Initially it wasn't even intended as a honeypot, but it soon turned into one when "interesting" traffic started turning up.  Now of course mixing business (servers original intended use) and pleasure (honeypot) aren't a good thing, so honeypot it is. 

It was quite disheartening to see how fast evilness turned up: 

  • SSH brute force attacks port 22 < 2minutes
  • SSH brute force attacks port 2222 < 4 hours
  • Telnet  - 8 Minutes
  • Coldfusion checks ~ 30 minutes
  • SQLi Check ~ 15 minutes
  • Open Proxy check 3128  - 81 minutes
  • Open Proxy Check 80 - 35 minutes
  • Open proxy check 8080 - 48 minutes

Which got me thinking about a few things and hence this post.  There are two things I'm interested in firstly when running Honeypots what do you use?  There are some great resources and different tools, so what works for you.  This one I just set up using the 404 project components from this site. I used Kippo for 2222 and for the rest I used actual product configured to bounce pretty much every request.  It doesn't get me exactly what they are doing, but it gives me a first indication, plus I ran out of time :-(  

The second thing I'd like to know is, when you set up the Honeypot for the first time how long did it take to get a hit?  On our site we have a survival time.  It would be interesting to know what the survival time for SSH, FTP, telnet, proxies etc is.  So the next time you set up a honey pot, or if you still have the logs going back that far take a look and share.  SSH with a default password less than 2 minutes. What are your stats?

Cheers

Mark 

(PS if you are going to set one up, make sure you fully understand what you are about to do.  You are placing a deliberately vulnerable device on the internet.  Depending on your location you may be held liable for stuff that happens (IANAL).  It it gets compromised, make sure it is somewhere where it can't hurt you or others. )

 

Mark

391 Posts
ISC Handler
I promise I'm not trying to drive traffic to our blog, but my colleague Jay Jacobs here at Verizon had a series of blog posts on "Opportunistic Attacks" and how quickly systems are hit by evilness. The last link is a short youtube video where he visualized the information from his honeypot.

http://www.verizonenterprise.com/security/blog/index.xml?postid=1587
http://www.verizonenterprise.com/security/blog/?postid=1589
http://www.verizonenterprise.com/security/blog/?postid=1593
http://www.verizonenterprise.com/security/blog/index.xml?postid=1600
http://www.youtube.com/watch?v=mGr1GpV-YcE

Enjoy!

Chris
Christopher

1 Posts
I think it largely depends on what your IP address was used for before ... IHMO it hardly can be generalized.
gebhard

7 Posts
Very true. The IP could have been used for other purposes and traffic you are seeing are leftovers from a previous owner. In fact one of the other servers I run has that exact issue. It is one of the issues in a VPS world where servers are reallocated when someone pays a bill.

One reason why more data might help sort it out, but then when you think about it, it could still be quite valid information as we move more towards a VPS type of environment. With the IPv4 allocation gone you'd be hard pressed finding a IPv4 address without history.

M
Mark

391 Posts
ISC Handler
What happens if your honeypot is IPv6 only? Does it essentially "Disappear" into the vast void of IPv6?

Paul
PaulOutBox

7 Posts
I've run a Kippo honeypot (on a Raspberry Pi) for a number of months. I started running it after reviewing all the port 22 hits in our logs. Oh, this is on a residential cable modem connection.

Last week our ISP reconfigured things -- changing our IP from 76.xx.xx.xx to 69.xx.xx.xx. As I noted in a blog post, for the honeypot, it was like moving to a new town and starting over as a virgin!

I also run another hack on our home network that tracks network downtimes, so I know when the IP change occurred.

We came up on the new IP address at 03:03 (AM, local time). First port 22 hit recorded at 04:50 with a login attempt to root with password=admin

While our "new" IP address may have been used by someone else previously, it's still in a residential block!
k6rtm

3 Posts
Hello Mark,

Great article and this is definitively a very interesting topic!

Some time ago I had deployed a Kippo Honeypot and wrote about the experience here: http://countuponsecurity.com/2012/12/07/deception-techniques/.

After that since it could be used to gather intelligence trough the knowledge and information that one could obtain by observing, analyzing and investigating it. I illustrate the "intel" you could gain using the facts captured from a Kippo Honeypot during the first 20 days here: http://countuponsecurity.com/2012/12/26/honeypot-captures-bad-villain/?relatedposts_exclude=427

Following that article and learning some interesting things I wrote about the Evilness economical incentive to use and exploit bots for spam, phishing, DoS extortion and other attacks detailing a step-by-step illustration on Evilness grow their Botnets business model by exploiting bad passwords via SSH bruteforce here: http://countuponsecurity.com/2013/01/02/step-by-step-bot-infection-process-exploiting-bad-password/ ...


Cheers,
Luis
k6rtm
2 Posts
Reminds me of the nimda days, before we had a firewall. I had a windows server get infected while I was building it.
John

88 Posts
That's too funny... same thing happened to me with Code Red!
John
7 Posts
I set up a kippo honeypot using a raspberry pi on my home network, it took a day or so for the first brute force attack. I've had it up since August and I've only had about 12 people actually get in and didn't get any serious malicious intent until last week. So your milage may vary. I did have someone try to infect it with an interesting piece of linux malware last week, it's been submitted to a few malware analysis sites since then so it is worth keeping a little honeypot up even if it's boring for a while.
sforslev

4 Posts
HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages

http://sourceforge.net/projects/honeydrive/
Sanesecurity

21 Posts
good article.
Sanesecurity
4 Posts

Sign Up for Free or Log In to start participating in the conversation!