Honeypot Analytics

For this post (and probably a few subsequent ones), I’m taking the role of ‘Pinky” to @jayjacobs’ ‘Brain’ as I share some of my own analysis on the ssh honeypot passwords that Jay collected (you’ll need to read his VZB post before continuing). There are tons of angles for analysis and I’ve been all over the place as ideas have come & gone. I’m probably not breaking much (if any) new ground as there are a number of honeypot tools that provide #spiffy reports like this, but there may be some new insights or at the very least some starting points for folks new to the honeypot scene.

One of the first things I did with the data was to make a histogram of the password lengths the attackers used:

Some questions come up:

  • Why 6 & 8 as the most frequent?
  • What’s up with “khaled-dico-ana-wla-akhou-charmouta-tfeh-kess-ekhtak-bi-ayri-a5ou-a7beh”(the longest one), “FSDwef8529637531598273k1d123kid871kid872tralalalovedolce” and the other large passwords? Are they used in conjunction with other attack vectors (one of my posits)? Are they vanity signatures to inject into honeypots (one of Jay’s posits)

(btw: those are legit questions…if honeypot researchers know the answers, I am curious)

When looking at sources of these attacks, they seem to be concentrated in a few areas:

The brute-forcers also do not seem to rest (click for larger version):

The down days are when they honeypot was, well, down. I am curious as to what caused the surge on the 31st & the 3rd? I believe that actually maps to Fri/Mon if the source is China/Russia.

In the coming days/weeks, I’ll break down some analytics by IP address and focus a bit more on the passwords themselves.

Cover image from Data-Driven Security
Amazon Author Page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.