After an initial setup and configuration of HoneyD I took a snapshot of the honeyd.log file after running for a 24hr period.
Running honeydsum against the log file generated some good overview information. There were over 12000 connections made to the emulated network, averaging one connection every 7 seconds. Despite the volume of connections, each source generally only initiated a handful of connections, likely looking for a single particular service before moving on.
Top 10 Source Hosts
Rank Source IP Connections
1 124.207.85.200 3066
2 203.113.137.181 984
3 121.23.82.216 65
4 79.114.107.90 65
5 61.156.31.20 57
6 62.215.178.163 48
7 193.6.48.210 39
8 24.161.18.4 37
9 190.58.213.249 30
10 195.8.36.144 30
The summaries from honeydsum also suggest that the rate of incoming connections is generally constant. The only real variation to this was between 17:00 and 18:00, but the spike coincides with the source IP 124.207.85.200 running an ordered port sweep against a single target IP address, starting at TCP1042 and running up to around TCP 1300. Not sure why anyone is scanning this particular port range (if anyone can provide any additional information to slake my curiosity I’d appreciate it) but this event explains the outliers in both the above and below summary tables, highlighting the dangers of working with a small data set.
Connections per Hour
Hour Connections
00:00 329
01:00 325
02:00 281
03:00 366
04:00 360
05:00 322
06:00 300
07:00 299
08:00 258
09:00 369
10:00 317
11:00 324
12:00 423
13:00 367
14:00 351
15:00 479
16:00 486
17:00 3590
18:00 498
19:00 515
20:00 576
21:00 441
22:00 397
23:00 311
The below table summarises the targetted resources within the environment. It shouldn’t come as a surprise that the most popular targets were tcp ports 445 and 135, but this is the case even though the honeyd configuration does not have any services listening on those ports. From this I would suggest that if you are trying to gather data on a particular port or service that you employ a filter (firewall/ACL/etc.) to block the noise before it reaches honeyd to keep the log files relevant.
Top 10 Accessed Resources
Rank Resource Connections
1 445/tcp 7349
2 135/tcp 1086
3 8/icmp 123
4 22/tcp 102
5 1433/tcp 95
6 8080/tcp 73
7 4899/tcp 52
8 5900/tcp 39
9 10000/tcp 39
10 3/icmp 38
In addition to running honeydsum the data set was run through InfoSanity’s honeyd-geoip.py script, top 10 sources are listed below. The results are likely skewed as the largest ‘location’ for the results is ‘none’ according to the GeoIP Country Lite database being used. One feature of the result set is that the country linked to the public IP addresses used by the honeyd environment did not feature in the list, as infrastructure improves and botnets become more prevalent today’s malware no longer needs to target ‘closer’ IP addresses to remain efficient.
None: 692
United States: 196
Russian Federation: 123
Taiwan: 118
Brazil: 109
Germany: 99
Australia: 99
China: 90
Romania: 86
Italy: 82
— Andrew Waite
Hello Andrew, would it be possible to add a ‘honeyd’ category to your blog and assign all the relevant posts to it similarly to the ‘kippo’ category? It would be easier to browse honeypot-specific topics. Thanks for considering it 🙂
Umm, thought I had to be honest. Will add it to the ToDo list
And… done. Hope this helps.
Thanks a lot. After Kippo I’ll be moving to honeyd as well and this can help narrow down useful posts here 🙂
Not sure I can guarantee anything useful, but there are honeyd posts here….
hy andrew, i am dusti… i use honeyd in ip public and what is ip use in honeyd virtual ?.
hello andrew, I have a question
can HoneyD binding IP public from modem?
because I want to build HoneyD for detection DDoS attack..
I hope you reply as soon as possible.. thanks