Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Why is my Honeypot a Russian Certificate Authority? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Why is my Honeypot a Russian Certificate Authority?

Last night, I noticed a lot of requests to one of our honeypots for "/ocsp.srf" and "/itcom2020/ocsp.srf". The requests all looked very similar:

GET /itcom2020/ocsp.srf HTTP/1.1
User-Agent: fasthttp
Host: service.itk23.ru

GET /ocsp/ocsp.srf HTTP/1.1
User-Agent: fasthttp
Host: uc.ktkt.ru

The same source IP also attempted CONNECT requests to these hostnames, indicating that they may be looking for a proxy.

So far, I am not sure what these scans are about. Is anybody else seeing this or know more about what may be happening? The combination of "CONNECT" requests and OCSP requests may suggest that someone is attempting to use my honeypot as a proxy or has it misconfigured as a proxy. But there is no payload to the OCSP requests.

OCSP, the "Online Certificate Status Protocol," is a more modern alternative to "CRL"s (Certificate Revocation Lists). A client connecting via TLS will receive an OCSP URL as part of the certificate. OCSP implements a web service that may be used to verify if the certificate is still "good." Alternatively, the TLS server may attach a recently created OCSP message with the certificate ("OCSP Stapling"). For Let's Encrypt, for example, the OCSP URL is http://r3.o.lencr.org. A typical OCSP request would include additional data on the URL.

Initially, I figured that they may be searching for private CAs. But the requests are repetitive to particular IP addresses—the "fasthttp" user-agent points to a client written in Go. 

Any ideas about what may be happening here?

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022

Johannes

4513 Posts
ISC Handler
May 16th 2022

Sign Up for Free or Log In to start participating in the conversation!