Share this page!

_Veronica_ Profile picture
Twitter logo
9 Oct, 24 tweets, 7 min read
Friday night, playing again with #honeypots <3 Image
The installation was very smooth, and the end result is neat. Don't try to run this with 4GB of memory, because is not gonna work. T-Pot requires at least 8GB (note to self: rtfm). Image
The number of attacks received always impresses me. Less than 45 minutes minutes after installation and the numbers are staggering.
👉🏿5,030 Dionaea attacks
👉🏿1,375 Cowrie attacks
Well, let's be honest, I didn't just run 1 T-Pot. 😂 Image
Ah, my fellow country hackers 😅 Image
Numbers going up nicely. Only 2 hours running. 🍿 Image
The morning after deploying honeypots is like Christmas. Wake up early, way too excited to see what gifts are there for you!
For those interested, I installed a full version of T-Pot (@dtag_dev_sec). The server(s) were I've this installed has 8GB RAM/4CPU. T-Pot has around 20 different honeypots, an ELK suite, and pre-built Kibana dashboards. T-Pot GitHub repository is: github.com/telekom-securi…
Already having Kibana loading issues. It's incredible how much memory it requires. 8GB seemed enough, but now it's just struggling to load.
Alright, here we go. At least one dashboard loaded. An all time low around 1am, but got more active after that. This is after 14 hours since start time. ImageImage
I was expecting numbers to be higher by now.
Interesting related paper that uses T-Pot data as their dataset: "Identifying Attack Propagation Patterns in Honeypots using Markov Chains Modeling and Complex Networks Analysis" (2016)
cyber.bgu.ac.il/wp-content/upl…
Less than 48 hours after. Nice. And yes, I know. 🙏🏽 Image
48 hs later, the Kibanas are completely unresponsive, the memory of the servers is completely depleted and I am almost unable to type commands via ssh because is super slow. Probably more than 8GB of memory are needed to run this for longer times.
It seems the real memory issue is due to log stash, not kibana. And that's a component you probably do not want to turn off. I see no real solution here except increasing memory, which is costly.
After a week, 3 out of 5 T-Pot installations crashed, and therefore stopped collecting data. Memory issues. The instances, all the same specs, had 8GB of RAM. The other two instances struggled but somehow survived. A quick walkthrough the observed attacks 👇🏿 Image
Attacks per honeypot:
Dionaea - Attacks: 272,295
Cowrie - Attacks: 65,919
Honeytrap - Attacks: 18,260
Rdpy - Attacks: 7,510
Heralding - Attacks: 7,137
Mailoney - Attacks: 775
Adbhoney - Attacks: 274
Tanner - Attacks: 171
Ciscoasa - Attacks: 131
CitrixHoneypot - Attacks: 78
Dionaea is, as usual, the most attacked. The majority of attacks coming from Vietnam, India, and Indonesia. ImageImage
Cowrie, has a good 65,919 attacks. This seems a bit low for what we are used to see on SSH/Telnet ports. Surprisingly (?) most of the attacks are coming from Ireland, Russia, and Panama. Image
Adbhoney received 274 attacks. Again most attacking IPs are well known offenders. Most attacks coming from China, South Korea, and Russia. Image
The Ciscoasa honeypot received 131 attacks. Interestingly, most attacks coming from a single country: US. Image
Heralding honeypot received 7,137 attacks. The majority of attacks coming from Republic of Moldova and Seychelles. These two IPs attacking are well known offenders. Image
The top attacking country in this observation is Vietnam. Image
The end. EOM.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with _Veronica_

_Veronica_ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @verovaleros

_Veronica_ Profile picture
3 Jun
How does the traffic of Flexnet looks like? The sample shared below is available on @apklabio along with a nice pcap capture 👉🏿 apklab.io/apk.html?hash=…
From Wireshark Protocol Hierarchy Statistics we can see that most of the traffic is TCP on IPv4. Few UDP. A nice amount of packets.
Next step for me is always look at the conversations. I want to get a feeling of how many things do we need to check and verify. In this case there are only 12 IPs to check (1 IP is local). Easy to discard a few things here knowing this is an Android phone.
Read 20 tweets
_Veronica_ Profile picture
2 Oct 19
Now on the Green Room at #VB2019, @eldracote @anshirokova will present "Geost botnet. The discovery story of a new Android banking trojan from an OpSec error", a work also done with @MaryJo_E !
The Geost botnet was found by investigating the traffic of a different botnet: #htbot also known as proxyback. This htbot botnet offers a proxy service for users in the underground.
The Geost operators were using htbot to access the command and control servers from Geost (thinking they were hiding themselves).
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @verovaleros