March 1st, 2004, 04:37 PM
Fascinating Honeypot Result
Hey all - I've begun to examine the data I've captured from my recent honeypot experiments, and have come across something I'd like to show you.
In my final honeypot, I had the following machine exposed to the internet:
-Windows XP (clean install, no patches or service packs)
-Uptime: Approx 10hrs 15min
-No shares with null passwords
-No server services running
I was mimicing a home PC with no/little security considerations. This was the third of three deployments (I cycled the DSL between each to ensure a different IP address was assigned to each host). Data capture was done with gateway logs, for incoming and outgoing connection addresses, Etheral for packet dump, and Snort IDS for alert logging.
The W32.gaobot worm eventually brought the PC down when if forced a reboot via the famous RPC exploit, but that's not the interesting part.
18 minutes into the deployment the honeypot starts getting pounded with SYN packets from a single address. This continues for 2 hours and 19 minutes, and effectively kills any and all other communication with the outside world.
Take a look at this chart showing the spike in sustained traffic.
Thereafter, the traffic returned to the expected NetBIOS scans, etc., leading up to the W32.gaobot compromise. This makes me think of a possible strategic scenario:
1) automated scan finds a vulnerable host.
2) DOS launched against host to disallow any others from compromising it until decision can be made.
3) decision is made to compromise host, DOS is stopped, host is compromised.
As I noted, I've changed IP addresses (and operating systems/footprints) between each honeypot, so I don't believe someone would know it's another honeypot and DOS it out of spite.
What's your opinion? I've not seen signatures of DOS attacks in the past, but the scenario above makes some sense to me.. Here's the dump of a single packet from the questionable traffic:
0000 00 08 e3 b9 45 02 00 04 61 a7 b0 a2 88 64 11 00 ....E... a....d..
0010 0f 05 00 2a 00 21 45 00 00 28 31 6f 00 00 80 06 ...*.!E. .(1o....
0020 12 59 44 a2 af d8 8d 9e 74 ef 50 62 13 78 00 00 .YD..... t.Pb.x..
0030 00 00 84 36 26 32 50 14 00 00 aa 85 00 00 ...6&2P. ......
BTW - I believe the source address of these packets is forged. I saw only DOS traffic from that particular host, and that host sent only DOS traffic.