Recently we have started a small honeypot project within our network to monitor and analyze malicious requests. With this information we can make our network more secure.
What is a Honeypot?
Defining what a honeypot is can be harder then it sounds. Honeypots come in many different shapes and are used in many different ways. In general a honeypot is a (set of) tool(s) monitoring networks for unauthorized activities. Normally a honeypot should not see any traffic, and as a result all traffic it sees is malicious. Depending on the kind of honeypot, this traffic can be analyzed. Popular honeypots are Nepenthes, HoneyD, HoneyWall.
We are using Nepenthes for our honeypot servers (three in total on three different locations). With Nepenthes, we analyze the requests we get from the attackers.The honeypot gives the attacker the impression that his attack is successful. These attackers often offer download links in their requests to malicious files, often Trojans and other viruses. We download those files and give them a fingerprint. With those fingerprints we can see if we have seen this file before. After downloading, we check the file with several virusscanners to see if the file contains a virus. Along with this information we collect the source IP’s, source and target ports and timestamps. This gives us more information about the attacks.
Findings after one month
Our honeypot is now running for a month and so far we have seen the following:
- We have seen over 50.000 attacks on three servers.
- Around 80% of the source ports are 445 (45%), 139 (22%) and 135 (13%). These ports are mostly used by file sharing applications (see What’s port 445 in Windows (XP/2000/2003). You should never open these ports on a public network to the outside world. Some providers even block these ports on their routers, which is at least a good idea if you a lot of home-pc’s on your network (consumers don’t install the latest security patches as often as they should).
- 75% of all attacks only come from < 0.5% of the source IP’s. Attacking IP’s have the intention to try over and over again for a while once an attack is successful.
- 65% of the found viruses is Trojan.SdBot, followed by Worm.Allaple (10%) and Trojan.MyBot. Allmost all viruses are Windows viruses.
If you want to see some live statistics you can view some graphs on http://hp.leaseweb.net:8000/charts/graphs.php
Honeypots like nepenthes are very useful in collecting data without any risks. During the next months we will continue to collect and analyze data which we will use to secure our network. We will update the Honeypot page with more information at a later stage.