Fascinating Honeypot Result
Results 1 to 8 of 8

Thread: Fascinating Honeypot Result

  1. #1

    Fascinating Honeypot Result

    Hey all - I've begun to examine the data I've captured from my recent honeypot experiments, and have come across something I'd like to show you.

    In my final honeypot, I had the following machine exposed to the internet:
    -Windows XP (clean install, no patches or service packs)
    -DSL connection
    -Uptime: Approx 10hrs 15min
    -No shares with null passwords
    -No firewalls
    -No server services running

    I was mimicing a home PC with no/little security considerations. This was the third of three deployments (I cycled the DSL between each to ensure a different IP address was assigned to each host). Data capture was done with gateway logs, for incoming and outgoing connection addresses, Etheral for packet dump, and Snort IDS for alert logging.

    The W32.gaobot worm eventually brought the PC down when if forced a reboot via the famous RPC exploit, but that's not the interesting part.

    18 minutes into the deployment the honeypot starts getting pounded with SYN packets from a single address. This continues for 2 hours and 19 minutes, and effectively kills any and all other communication with the outside world.

    Take a look at this chart showing the spike in sustained traffic.

    Thereafter, the traffic returned to the expected NetBIOS scans, etc., leading up to the W32.gaobot compromise. This makes me think of a possible strategic scenario:
    1) automated scan finds a vulnerable host.
    2) DOS launched against host to disallow any others from compromising it until decision can be made.
    3) decision is made to compromise host, DOS is stopped, host is compromised.

    As I noted, I've changed IP addresses (and operating systems/footprints) between each honeypot, so I don't believe someone would know it's another honeypot and DOS it out of spite.

    What's your opinion? I've not seen signatures of DOS attacks in the past, but the scenario above makes some sense to me.. Here's the dump of a single packet from the questionable traffic:

    0000 00 08 e3 b9 45 02 00 04 61 a7 b0 a2 88 64 11 00 ....E... a....d..
    0010 0f 05 00 2a 00 21 45 00 00 28 31 6f 00 00 80 06 ...*.!E. .(1o....
    0020 12 59 44 a2 af d8 8d 9e 74 ef 50 62 13 78 00 00 .YD..... t.Pb.x..
    0030 00 00 84 36 26 32 50 14 00 00 aa 85 00 00 ...6&2P. ......

    l00p

    BTW - I believe the source address of these packets is forged. I saw only DOS traffic from that particular host, and that host sent only DOS traffic.

  2. #2
    That is very interesting. Good post!

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    InfiniteLoop,

    Interesting project, and yes that approach could well be taken by an attacker. There have been a couple of studies like this conducted and it is amazing the amount of malicous traffic that hits these servers. This is one of the problems when you first implement an IDS on a large corp network, if you put a sensor outside the firewall you see huge volumes of traffic, takes a while to tweak the IDS.

    Are you seeing the SYN packets against any particular ports? or across the full range?
    Quis custodiet ipsos custodes

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    Thats silly tho...
    OOOH a open box! Its MINE I say! MINE MINE MINE!
    Daffy duck syndrome.
    I just find that amazing someone would DoS it so no one else can hack it... lol
    guess if you want to zombie it, you gotta "claim" it... sheesh
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    if you consider that whoever owns it can put an smtp server on it and sell it to spamers its not so silly when you consider how many are in compitition for them...but it is still just a guess.

    very interesting InfiniteL00p

    do you plan to let it get compromised to see exectly what they will do?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    That is true... I can see some of these spammers paying to use a box thats not blacklisted or ordb... good point
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  7. #7
    The SYN packets are only coming against TCP 4984-4987, in a seemingly random order (doesn't start and cycle one way). Perhaps this could mean there were more than one hosts sending the packets? (well, that's a shot in the dark assumption to make)

    I could see someone DOS a host to grab a machine.. the larger your BOT network, the more powerful your DDoS atacks would be - or as Tedob1 said it would be a great use for a spammer.

    I failed to mention, but there only traffic that actually broke through (and only twice in that two hours) were single ping ECHO requests from a particular host (Snort tagged them as being from the CyberKit suite). From a recon perspective, this could the actual attacker checking to see if the machine is still online, as a DOS attack with forged SYN packets would send my honeypot's responses into space... I'm going to check into this more this evening.

    l00p

  8. #8
    Junior Member
    Join Date
    Dec 2003
    Posts
    5
    Good post InfiniteL00p. Interesting to see how fast a computer can become infected or taken advantage of.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •