Home > Honeypot, InfoSec, Malware > 24hrs of HoneyD logs

24hrs of HoneyD logs

2010/04/20

After an initial setup and configuration of HoneyD I took a snapshot of the honeyd.log file after running for a 24hr period.

Running honeydsum against the log file generated some good overview information. There were over 12000 connections made to the emulated network, averaging one connection every 7 seconds. Despite the volume of connections, each source generally only initiated a handful of connections, likely looking for a single particular service before moving on.

Top 10 Source Hosts
Rank     Source IP       Connections
1    124.207.85.200       3066
2    203.113.137.181      984
3    121.23.82.216           65
4    79.114.107.90          65
5    61.156.31.20             57
6    62.215.178.163        48
7    193.6.48.210            39
8    24.161.18.4               37
9    190.58.213.249       30
10   195.8.36.144          30

The summaries from honeydsum also suggest that the rate of incoming connections is generally constant. The only real variation to this was between 17:00 and 18:00, but the spike coincides with the source IP 124.207.85.200 running an ordered port sweep against a single target IP address, starting at TCP1042 and running up to around TCP 1300. Not sure why anyone is scanning this particular port range (if anyone can provide any additional information to slake my curiosity I’d appreciate it) but this event explains the outliers in both the above and below summary tables, highlighting the dangers of working with a small data set.

Connections per Hour
Hour  Connections
00:00      329
01:00      325
02:00      281
03:00      366
04:00      360
05:00      322
06:00      300
07:00      299
08:00      258
09:00      369
10:00      317
11:00      324
12:00      423
13:00      367
14:00      351
15:00      479
16:00      486
17:00   3590
18:00      498
19:00      515
20:00      576
21:00      441
22:00      397
23:00      311

The below table summarises the targetted resources within the environment. It shouldn’t come as a surprise that the most popular targets were tcp ports 445 and 135, but this is the case even though the honeyd configuration does not have any services listening on those ports. From this I would suggest that if you are trying to gather data on a particular port or service that you employ a filter (firewall/ACL/etc.) to block the noise before it reaches honeyd to keep the log files relevant.

Top 10 Accessed Resources
Rank   Resource    Connections
1           445/tcp         7349
2           135/tcp         1086
3             8/icmp           123
4              22/tcp           102
5            1433/tcp          95
6           8080/tcp          73
7           4899/tcp          52
8           5900/tcp          39
9         10000/tcp         39
10           3/icmp            38

In addition to running honeydsum the data set was run through InfoSanity’s honeyd-geoip.py script, top 10 sources are listed below. The results are likely skewed as the largest ‘location’ for the results is ‘none’ according to the GeoIP Country Lite database being used. One feature of the result set is that the country linked to the public IP addresses used by the honeyd environment did not feature in the list, as infrastructure improves and botnets become more prevalent today’s malware no longer needs to target ‘closer’ IP addresses to remain efficient.

None:   692
United States:  196
Russian Federation:     123
Taiwan: 118
Brazil: 109
Germany:        99
Australia:      99
China:  90
Romania:        86
Italy:  82

— Andrew Waite

Advertisements
Categories: Honeypot, InfoSec, Malware
  1. Ion
    2011/12/29 at 17:55

    Hello Andrew, would it be possible to add a ‘honeyd’ category to your blog and assign all the relevant posts to it similarly to the ‘kippo’ category? It would be easier to browse honeypot-specific topics. Thanks for considering it 🙂

    • 2011/12/29 at 19:47

      Umm, thought I had to be honest. Will add it to the ToDo list

    • 2011/12/29 at 19:52

      And… done. Hope this helps.

      • Ion
        2011/12/29 at 19:55

        Thanks a lot. After Kippo I’ll be moving to honeyd as well and this can help narrow down useful posts here 🙂

      • 2011/12/29 at 20:03

        Not sure I can guarantee anything useful, but there are honeyd posts here….

  2. dusti
    2013/10/25 at 23:20

    hy andrew, i am dusti… i use honeyd in ip public and what is ip use in honeyd virtual ?.

  3. 2013/10/26 at 01:25

    hello andrew, I have a question
    can HoneyD binding IP public from modem?
    because I want to build HoneyD for detection DDoS attack..
    I hope you reply as soon as possible.. thanks

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: