Honeypot Project

Recently we have started a small honeypot project within our network to monitor and analyze malicious requests. With this information we can make our network more secure.

What is a Honeypot?

Defining what a honeypot is can be harder then it sounds. Honeypots come in many different shapes and are used in many different ways. In general a honeypot is a (set of) tool(s) monitoring networks for unauthorized activities. Normally a honeypot should not see any traffic, and as a result all traffic it sees is malicious. Depending on the kind of honeypot, this traffic can be analyzed. Popular honeypots are Nepenthes, HoneyD, HoneyWall.

We are using Nepenthes for our honeypot servers (three in total on three different locations). With Nepenthes, we analyze the requests we get from the attackers.The honeypot gives the attacker the impression that his attack is successful. These attackers often offer download links in their requests to malicious files, often Trojans and other viruses. We download those files and give them a fingerprint. With those fingerprints we can see if we have seen this file before. After downloading, we check the file with several virusscanners to see if the file contains a virus. Along with this information we collect the source IP’s, source and target ports and timestamps. This gives us more information about the attacks.

Findings after one month

Our honeypot is now running for a month and so far we have seen the following:

  • We have seen over 50.000 attacks on three servers.
  • Around 80% of the source ports are 445 (45%), 139 (22%) and 135 (13%). ┬áThese ports are mostly used by file sharing applications (see What’s port 445 in Windows (XP/2000/2003). You should never open these ports on a public network to the outside world. Some providers even block these ports on their routers, which is at least a good idea if you a lot of home-pc’s on your network (consumers don’t install the latest security patches as often as they should).
  • 75% of all attacks only come from < 0.5% of the source IP’s. Attacking IP’s have the intention to try over and over again for a while once an attack is successful.
  • 65% of the found viruses is Trojan.SdBot, followed by Worm.Allaple (10%) and Trojan.MyBot. Allmost all viruses are Windows viruses.

If you want to see some live statistics you can view some graphs on http://hp.leaseweb.net:8000/charts/graphs.php

Honeypots like nepenthes are very useful in collecting data without any risks. During the next months we will continue to collect and analyze data which we will use to secure our network. We will update the Honeypot page with more information at a later stage.

One Response to “Honeypot Project”

  • I’m not sure exactly why but this blog is loading incredibly slow for me.

    Is anyone else having this problem or is it a problem on my end?
    I’ll check back later and see if the problem still exists.

Leave a Reply

LeaseWeb on Twitter

Don't miss out! SEE the Cloud is on November 16. Find out more and sign up at lsw.to/lkm @TOPdesk

test Twitter Media - Don't miss out! SEE the Cloud is on November 16. Find out more and sign up at https://t.co/Gbw15lDemJ @TOPdesk https://t.co/0gycLwViV6

"Azure Stack addresses the market for private cloud services with public cloud capabilities" @Microsoft Azure Stack lsw.to/lkq

test Twitter Media - "Azure Stack addresses the market for private cloud services with public cloud capabilities" @Microsoft Azure Stack https://t.co/zi57KQalNm https://t.co/u2fIVg6Ebd

One month to go until SiGMA17! Register now lsw.to/lkd

test Twitter Media - One month to go until SiGMA17! Register now https://t.co/AL3tDv5xwW https://t.co/H0ze13AkrS

Congratulations to our CTO, Svenja de Vos for being named one of the top 100 management talents in the Netherlands lsw.to/lkf

test Twitter Media - Congratulations to our CTO, Svenja de Vos for being named one of the top 100 management talents in the Netherlands https://t.co/jcyn2y8qaf https://t.co/MKy8h5UCMl