roberto.metere@ncl.ac.uk
I wanted to figure out some numbers...
So - classic - I set up a honeypot detecting attacks
This will partially answer the previous question with a lower bound – at least n attacks
What is our honeypot?
email phishing
remote control*
vulnerable web servers
download and run malicious software
ransomware
Custom SSH Server
We setup a virtual machine
- • exposed port 22 to the Internet
- • dynamic IP address
The honeypot audits
- • hackers' IP address
- • username attempted*
- • fail/success**
Patience was the key!
The honeypot detected more than
1
million
hacking attempts from mid June to mid November ∼ 5 months
Daily attacks detected
We : ,
Most wanted!
Top ten of ~30K usernames*:
- ▸root 59.63%
- ▸admin 1.99%
- ▸test 0.74%
- ▸user 0.67%
- ▸ubuntu 0.45%
- ▸postgres 0.32%
- ▸oracle 0.34%
- ▸ftpuser 0.31%
- ▸git 0.21%
- ▸guest 0.20%
* none of them succeeded - passwords were all 40 random characters
IP-based geo-location of attacks!
Top ten of ~15K locations:
- ▸Nanjing China
- ▸Beijing China
- ▸Nowhere France
- ▸Nowhere UK
- ▸Guangzhou China
- ▸Nowhere China
- ▸Johannesburg South Africa
- ▸Nowhere else China
- ▸Shanghai China
- ▸Saint Petersburg Russia
Conclusion
Our rigorous security joke shown that
- ▸our perception may fail – we already knew
- ▸we should really do the security updates ASAP
- ▸non-targeted attacks come from all over our beloved flat Earth!
It'd be nice to show evidence, e.g. with a survey, on the gap between
perception and measurement
Thanks for listening!
Questions?Curiosity & discussion ideas
- ▸Methodology and findings shall be enough, tiger!
- ▸Yeah! It's quite risky to host a honeypot home
- ▸What happens if listening to a different port?
- ▸Can we evaluate against different password strengths?
- ▸Attacks may depend on
- •the ISP and other traffic at home
- •access to the gray and dark web
- •server configuration