Questions? - Contact Us.

 

 

Project Honeypot

In order to demonstrate and encourage good reasons for Cyber Hygiene we display the results of Project Honeypot, a small project undertaken by academic researchers, to monitor the types of scans and attacks made on Internet facing systems. Because these attacks occur within systems electronically, they tend to go unnoticed unless suitable monitoring processes are configured. It's a misconception that a compromised system is immediately apparent, an attacker's motivations are varied and an intelligent Cyber Criminal will often silently exploit a compromised system, either as a base for attacking other systems or perhaps using their covert access to the data on the system for their own purposes (e.g. identity theft, financial gain). It is often the case that a Cyber Criminal will ensure their presence on a compromised system is hidden.

The systems, which were configured to monitor and log all access attempts to remote access services, did not have a presence on the Internet that was advertised via search engines or web addresses and merely sat passively monitoring connection attempts. We hope the results will provide a good visualisation of the types and frequency of cyber attacks and how attackers not only target high profile systems but also seek out vulnerable systems randomly.

From this a picture can be seen of how vulnerability probes from hosts installed worldwide are capable of launching port scans, vulnerability checks or direct attempts to compromise systems.

The idea was to build a statistical picture of where attacking hosts are located (by country), the types of attack, apparent type and expertise of the attacker, (e.g. "Script Kiddie", "Botnet" placed on compromised host etc), and interconnection of hosts (e.g. botnets), as well as demonstrating that any presence on the Internet is subject to a Cyber Attack. Secure configuration and security policies can provide resiliant defence against these attacks.

As an initial example one type of brief probe of one of the systems, seen just a few minutes after the first honeypot was enabled, consisted of a scan of the following ports:

  Scan Attempt - Source Guandong, China
  Port     Service     Vulnerability  
  135     Windows Messenger service     Exploit  
  445     Direct Host SMB     Exploit  
  1433     Possible SQL Server Express     Exploit  
  21320     Spybot Anti Virus     Exploit  

The scan was undertaken in milliseconds, the vulnerabilities probed for could only be present on older Microsoft systems (e.g. Windows XP/Windows 2003 Server or unpatched Windows 7/Windows 2008 Server), and the system used was a Linux based system not prone to the vulnerabilities scanned, hence it is likely that the source host was either virus infected or was a host using automated processes to crawl the Internet gathering information of potential vulnerable systems. Targeted attacks usually commence with a scan to determine the operating system of the intended target, minimising exposing the attackers IP address to potential monitoring systems. There was no attempt to connect back to potentialy malicious hosts to gain more information about them however, using Stack Fingerprinting and analysing the type of data received when the host attempted the scans, the connecting host was using a Linux based operating system so the likelyhood of it being a virus infected system is low as Linux systems would not be affected by the type of viruses indicated in the scans.

There are still a significant amount of older unsupported systems online according to a January 2017 survey by www.netmarketshare.com. A foothold on one of these devices could be used to further compromise systems they are connected to or associated with.

Over a 24 hour period several hundred scan and connection attempts were made - results are posted below.

 

The following sample, monitoring probes to Remote Access Protocols, spans a period of about 8 hours on the 15th February 2017.

Care should be taken when interpreting the data - the country of origin shown is derived from the IP address of the sending host connecting to the systems. There is always the possibility that the sending host is situated on a compromised system and is being used as a platform to launch the probes on our own systems. For example, a Cyber Criminal in country A succesfully compromises systems in countries B, C & D. The systems, unknown to their responsible authority, are then used to launch attacks on country E by proxy. Although it would appear to country E that the sources of the attack are countries B,C & D, the actual root source is country A, which has succesfully taken control of systems in countries B,C & D and now uses those systems as remote platforms to launch attacks on country E.

  Remote Access by Protocol, Attempts by Country. [15/02/17]
  Country of Origin     RDP     SSH     Telnet  
  Albania             4  
  Argentina         1     17  
  Australia             10  
  Austria     1          
  Bangladesh             1  
  Bangor             1  
  Belarus             1  
  Bolivia             1  
  Botswana             1  
  Brazil         1     39  
  Bulgaria             2  
  Cambodia             2  
  Canada             1  
  Chile             5  
  China     4     50     88  
  Czech Republic     1          
  Columbia         1     7  
  Costa Rica             4  
  Ecuador             1  
  Egypt             6  
  Finland             2  
  France         1     9  
  Germany     1         1  
  Greece             1  
  Hong Kong             1  
  Hungary             2  
  India             12  
  Indonesia             7  
  Iran             12  
  Israel             2  
  Italy         1     9  
  Ireland     1          
  Japan         1     1  
  Kazakhstan         1     1  
  Kuwait             1  
  Latvia     1          
  Libya             1  
  Macedonia             2  
  Macao             1  
  Malaysia             3  
  Malta     1          
  Mexico     1         6  
  Morocco             2  
  Netherlands     3     1      
  Nigeria             1  
  Pakistan             1  
  Paraguay             1  
  Philippines             5  
  Poland             10  
  Poertugal             5  
  Puerto Rico             1  
  Qatar             1  
  Republic of Korea         2     8  
  Republic of Moldovia             2  
  Romania         1     12  
  Russia     5     2     16  
  Serbia             2  
  Senegal             1  
  Seychelles             1  
  Singapore             1  
  Slovakia             1  
  South Africa             4  
  Spain         1     3  
  Sweden             3  
  Taiwan             44  
  Thailand         1     11  
  Trinidad & Tobago             4  
  Turkey         2     28  
  UK     1     1     11  
  Ukraine     3     2     4  
  USA     9     8     21  
  Vietnam     1     6     50  
  Venezuala             2  

Other services scanned

Last update 18th February 2017