Honeypot Project

Recently we have started a small honeypot project within our network to monitor and analyze malicious requests. With this information we can make our network more secure.

What is a Honeypot?

Defining what a honeypot is can be harder then it sounds. Honeypots come in many different shapes and are used in many different ways. In general a honeypot is a (set of) tool(s) monitoring networks for unauthorized activities. Normally a honeypot should not see any traffic, and as a result all traffic it sees is malicious. Depending on the kind of honeypot, this traffic can be analyzed. Popular honeypots are Nepenthes, HoneyD, HoneyWall.

We are using Nepenthes for our honeypot servers (three in total on three different locations). With Nepenthes, we analyze the requests we get from the attackers.The honeypot gives the attacker the impression that his attack is successful. These attackers often offer download links in their requests to malicious files, often Trojans and other viruses. We download those files and give them a fingerprint. With those fingerprints we can see if we have seen this file before. After downloading, we check the file with several virusscanners to see if the file contains a virus. Along with this information we collect the source IP’s, source and target ports and timestamps. This gives us more information about the attacks.

Findings after one month

Our honeypot is now running for a month and so far we have seen the following:

  • We have seen over 50.000 attacks on three servers.
  • Around 80% of the source ports are 445 (45%), 139 (22%) and 135 (13%).  These ports are mostly used by file sharing applications (see What’s port 445 in Windows (XP/2000/2003). You should never open these ports on a public network to the outside world. Some providers even block these ports on their routers, which is at least a good idea if you a lot of home-pc’s on your network (consumers don’t install the latest security patches as often as they should).
  • 75% of all attacks only come from < 0.5% of the source IP’s. Attacking IP’s have the intention to try over and over again for a while once an attack is successful.
  • 65% of the found viruses is Trojan.SdBot, followed by Worm.Allaple (10%) and Trojan.MyBot. Allmost all viruses are Windows viruses.

If you want to see some live statistics you can view some graphs on http://hp.leaseweb.net:8000/charts/graphs.php

Honeypots like nepenthes are very useful in collecting data without any risks. During the next months we will continue to collect and analyze data which we will use to secure our network. We will update the Honeypot page with more information at a later stage.

One Response to “Honeypot Project”

  • I’m not sure exactly why but this blog is loading incredibly slow for me.

    Is anyone else having this problem or is it a problem on my end?
    I’ll check back later and see if the problem still exists.

Leave a Reply

LeaseWeb on Twitter

April 27th was King's Day in the Netherlands. It was a great opportunity to celebrate together with our customers

test Twitter Media - April 27th was King's Day in the Netherlands. It was a great opportunity to celebrate together with our customers https://t.co/WXZ73zehsB

Linux Engineer? Are you keen to work in a fast-moving environment with like-minded people? Let us know! We're hiring lnkd.in/gZ_7Ezd

test Twitter Media - Linux Engineer? Are you keen to work in a fast-moving environment with like-minded people? Let us know! We're hiring https://t.co/I4EHP3oSc2 https://t.co/pHuv5hxH1c

Read our CEO's reflections on the amazing growth that has made LeaseWeb the company it is today: blog.leaseweb.com/2017/04/26/loo… #LeaseWeb20

test Twitter Media - Read our CEO's reflections on the amazing growth that has made LeaseWeb the company it is today: https://t.co/vg5W5PUjRW #LeaseWeb20 https://t.co/jU0aayoqdk

"Mens sana in corpore sano" - Our team in training for last year's Viking Run #LeaseWeb20 #throwbackthursday

test Twitter Media - "Mens sana in corpore sano" - Our team in training for last year's Viking Run #LeaseWeb20 #throwbackthursday https://t.co/pCNEfXwmAa