Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots can be useful tools for gathering information on current attack techniques. Conversely, they can be an overwhelming source of data if you don’t have a specific goal in mind. I have been running a series of honeypots with rsync, FTP, SMB, and RDP services enabled and exposed to the internet throughout the month of August, evaluating weekly data sets to gather information on the overall volume and frequency of attacks against commonly misconfigured or exposed services associated with data loss. Based on the results, the data suggests that automated enumeration and attacks against these services is the most common threat. Given the widespread presence of devices currently connected to the internet, it is easy for attackers to create botnets that number in the hundreds of thousands. For example, a 21-year-old in Vancouver, Washington was recently convicted for creating an Internet of Things botnet that contained approximately 800,000 devices. With just one botnet containing that many devices, that should give you a clear picture of the scale of malicious automated activity that takes place daily.

A few definitions to get out of the way right up front:

  • Honeypot: intentionally misconfigured computer with vulnerable services exposed to the internet.

  • FTP: basic file transfer protocol that allows users to move files between networked computers.

  • SMB: Server Message Block protocol is another file sharing service that also allows network browsing and printing services.

  • RDP: Remote Desktop Protocol allows users to remotely access a network computer and use it like they normally would in person.

  • As you can see, all of these protocols allow for various forms of file sharing and remote access that could be problematic if th ..