on

Introduction to honeypots

As most of you already know, honeypots are hosts that act as a bait, exposing services on the internet in order to lure attackers. Below is a honeypots introduction.

Using honeypots, security researchers can:

  • Monitor the attackers’ activity on the internet.
  • Discover possible vulnerable services being exploited by an attacker.
  • Understand in a better way how attackers try to gain access to a host and therefore protect it in a better way.
  • Capture malware samples.

There are all kinds of honeypots, classified depending on if they are server-side or client side, or if they allow a low level of interaction or a high one.

The difference between the low and high level interaction honeypot is that, while the high level interaction honeypots have real services open in a real host, the low level interaction honeypots only have simulated ones.

All kinds of honeypots might be used to detect attacks or to study attack patterns among other things. On the other hand, high level interaction honeypots allow to detect new attacks, exploits and techniques that without a live service would be undetectable.

If instead of a single honeypot, you use multiple honeypots, you can simulate an exposed network (which is called a honeynet). With this honeynet, not only will you be able to see how attackers behave in a single host, but also within a network, allowing security researchers to better comprehend their conduct.

It’s been a while since Blueliv developed and deployed its honeynet, and today, we wanted to share some interesting data about the attacks we have been receiving.

For instance, our low level interaction honeypots have received 480K attacks in only two months:

attacks by date

The amount of attacks varies from day to day, but in average, we received about 8K attacks daily. Using this information, a lot of data can be extracted, such as the most attacked country, which kind of services are being attacked, or build your own IP reputation database.

With more time, even attack patterns can be extracted like if attackers first scan the host with a port scanner tool such as Nmap or if they target only one service.

The most attacked service is SSH, with 122K attacks and usually with brute force ones. In these attacks, the most common tested username is ‘root’, with over 200K tries. In the following graph you can see the other usernames used (without root):

usernames rank

As you can see, the most tested usernames are default usernames created by common applications.

On the other hand, the most common passwords used in the attacks are:

Passwords rank

Using high level interaction honeypots, security researchers can step up their game. In this case, we have used a high level interaction honeypot in order to expose a vulnerable version of elastic search to an attack.

This vulnerable version allows a remote attacker to execute arbitrary code in the server (CVE-2015-5377). It’s known that this vulnerability is being exploited in the wild in order to deploy backdoors in vulnerable servers.

A few days after setting up the bait, an attacker actually exploited the vulnerability and gained access to our honeypot.

In the following capture we can see the open connections in the honeypot, there are two connections open by the elasticsearch user, both associated to files found in the /tmp/ folder:

network

If we take a look at the /tmp/ folder, we’ll find both files:

ls

And, taking a quick look at the logs of the honeypot, we can see the commands that the attacker tried to execute exploiting the vulnerability in order to gain persistence, even though it failed miserably. First of all because the machine is a Linux, not a Windows:

commands_w

After a third attack and a successful exploitation, the attacker deployed a binary that we suspect is a bot for a DDoS botnet.

The attacker probably hopes to sell the botnet as a service, in order to launch attacks on demand against corporations and public entities.

As you can see, honeypots are very useful in all its forms, and their use isn’t only limited to security companies. Any kind of company can benefit from them, for example, using them to detect intruders or attacks towards the organization, or to defend itself in a better way.

Victor Acín

Threat Intelligence Analyst

Demo Free Trial MSSP
Program