Geo targeting?

20 views
Skip to first unread message

Mohab Ali

unread,
Jun 19, 2012, 9:35:11 AM6/19/12
to kippo...@googlegroups.com
Do attackers target more areas more than others?

Because i had a kippo honeypot running on a Canadian host (iWeb networks) and the honeypot was pretty busy, but recently i installed kippo on one of my VPS's in linode (UK/london node) and it's not as busy the other one is.

It's been two weeks so i think they had enough chance to attack.

Here is the two stats (not it's 40 days and 14 days so do the math)



40 days stats in the canadian host
Total tries: 219710
Unique IPs attempts: 205
Files wget'd: 40
Unique passwords: 34354


14 days stats in a UK host
Total tries: 5034
Unique IPs attempts: 25
Files wget'd: 1
Unique passwords: 5034

Andrew Smith

unread,
Jun 19, 2012, 12:25:57 PM6/19/12
to kippo...@googlegroups.com
I've definitely noticed this sort of thing before - but it never stays the same.

I had a UK linode before that saw more honeypot (admittedly dionaea, not kippo) traffic than I'd ever seen before. I think it varies of time and is caused by many different factors. 

It would be pretty interesting to read some serious research in to it!

Doing the math on your data I don't think there's a huge difference between 1.78 unique attackers per days and 5 attackers per day.


--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/kippousers/-/aDl3bd0NTJ8J.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.

Kyle Creyts

unread,
Jun 19, 2012, 1:14:56 PM6/19/12
to kippo...@googlegroups.com
I think this has more to do with where you're hosted ({IP-space,
hosting provider} tuple) than the country or city in which your
honeypots are physically located. the policies of your hosting agent,
and their aggressiveness in policing those policies and/or abuse
complaints, as well as whatever edge filtering they might be doing,
the businesses that exist in their IP space, and such. Remember that
in most cases, attackers are going for the optimal value: what
provides the best intersection of quality, ease, quantity and cost of
attempting to compromise hosts. This varies with the specific value
model sought by the attacker, but the basic idea is obvious.

The interesting thing is that perhaps the space that kippo operates in
is less concerned about this? I would be very interested in seeing
what kippo-ssh running on an IP of an Alexa top 5k site saw. I would
bet the threat profile for trafficked sites is quite different from
that of the average honeypot.

It is interesting, because if you are attempting to SSH to a host,
you're pretty clearly not targeting the majority of the market-share
(windows desktops!) so what else might be different and interesting
about what you want to do? My guess is that while the majority of this
behavior would slot into one of several patterns, that those several
(say 5 or 6) patterns might make up about 45% of the overall behavior,
with the rest of it being a very long and diverse tail.

Mass compromise typically has a different model than kids dicking
around, or targeted attackers. Mass compromiser wants to target space
where they (ideally) frequently succeed at bruting or guessing a
password, where there is typically value living on the compromised
host, and where the hosting provider isn't keen to their activity, or
doesn't care (admittedly, that's most providers, and I don't blame
them. security isn't seen as a value add, they get paid to give a host
to you and the people you allow access to it, whether you meant to or
not. anything else ought to cost them money, if their model is
efficient) to put broad controls in place.
--
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer

Kyle Creyts

unread,
Jun 19, 2012, 1:19:15 PM6/19/12
to kippo...@googlegroups.com
On Tue, Jun 19, 2012 at 12:14 PM, Kyle Creyts <kyle....@gmail.com> wrote:
> I think this has more to do with where you're hosted ({IP-space,
> hosting provider} tuple) than the country or city in which your
> honeypots are physically located. the policies of your hosting agent,
> and their aggressiveness in policing those policies and/or abuse
> complaints, as well as whatever edge filtering they might be doing,
> the businesses that exist in their IP space, and such.
To be clear, I'm not saying those are the largest factors, but I would
imagine they carry some weight. Of course, what type of
instance/slice/host/OS options the provider offers and in what volume,
whom their clientele are, and what the base security configuration
looks like also probably impact these numbers very significantly.
> Remember that
> in most cases, attackers are going for the optimal value: what
> provides the best intersection of quality, ease, quantity and cost of
> attempting to compromise hosts. This varies with the specific value
> model sought by the attacker, but the basic idea is obvious.
>
> The interesting thing is that perhaps the space that kippo operates in
> is less concerned about this? I would be very interested in seeing
> what kippo-ssh running on an IP of an Alexa top 5k site saw. I would
> bet the threat profile for trafficked sites is quite different from
> that of the average honeypot.
>
> It is interesting, because if you are attempting to SSH to a host,
> you're pretty clearly not targeting the majority of the market-share
> (windows desktops!) so what else might be different and interesting
> about what you want to do?

To be fair, you might be targeting web hosts that you might pivot by
hosting malware or exploits upon. or you might be building a ddos
botnet or something. still seems inefficient unless you are
well-trafficked.

Mohab Ali

unread,
Jun 19, 2012, 2:50:14 PM6/19/12
to kippo...@googlegroups.com
Thanks for your input man.

And i wish you mentioned the alexa thingy two months ago, the company i work for (news/misc blogging sites) is ranked 2K in alexa.
But i don't have root access anymore (the new hosting company won't offer support if they give out the root logins).
Reply all
Reply to author
Forward
0 new messages