|
Question N9 | • | What honeypot systems were attacked the most? |
|
| • | What ports were open on each of them? |
|
| • | Why do you think a machines with close IP addresses were attacked differently? |
|
What To Consider
Why a honeypot should be attacked more than another one ?
|
Proportionally to its taste of 'honey' to an attacker, one would say.
|
Technically we have to consider the following:
|
| • | Were there different OSes ? |
|
| • | Had they maybe been fingerprinted before the attack took place ? |
|
We don't have stats on the oses, but we do have (or we CAN get) information about the services running on different machines, through the analysis of their communications!
|
| • | We should take a look at the TTL of the packets - Different OSes forge packet with different TTL |
|
| • | Ports they were talking from |
|
(20:55:16) Dani3l3: If i grep for 'RST' i get all the tcp reset packets
|
(20:55:28) Dani3l3: which are probably sent in response to a scan/attack of a port that's CLOSED
|
(20:55:42) Brennan: nice, good call
|
(20:55:45) Dani3l3: so we can also map services....for what is NOT running on machines
|
(20:55:56) Dani3l3: the other way around
|
so for example those where 135 is closed are unix and not windows for sure, just for once
|
Most Attacked Honeypots
This considers the IP addresses 11.11.11.x as DESTINATION Address. |
The following is ACID's 'Most Frequent 15 Destination Addresses' Pre-Built query. Simple and lazy, as Dani@NL who run it.
|
It obviously includes only honeynet's member, but it could have reported also external hosts. This reassures us that data_limit worked (see LayoutHoney). |
Network Layout - Setup (Also Open Ports) Based on all of these considerations, we suppose the honeynet was structured as follows:
|
Honeypots That Were Compromised
Why Were They Attacked ?
|
