I think this has more to do with where you're hosted ({IP-space,
hosting provider} tuple) than the country or city in which your
honeypots are physically located. the policies of your hosting agent,
and their aggressiveness in policing those policies and/or abuse
complaints, as well as whatever edge filtering they might be doing,
the businesses that exist in their IP space, and such. Remember that
in most cases, attackers are going for the optimal value: what
provides the best intersection of quality, ease, quantity and cost of
attempting to compromise hosts. This varies with the specific value
model sought by the attacker, but the basic idea is obvious.
The interesting thing is that perhaps the space that kippo operates in
is less concerned about this? I would be very interested in seeing
what kippo-ssh running on an IP of an Alexa top 5k site saw. I would
bet the threat profile for trafficked sites is quite different from
that of the average honeypot.
It is interesting, because if you are attempting to SSH to a host,
you're pretty clearly not targeting the majority of the market-share
(windows desktops!) so what else might be different and interesting
about what you want to do? My guess is that while the majority of this
behavior would slot into one of several patterns, that those several
(say 5 or 6) patterns might make up about 45% of the overall behavior,
with the rest of it being a very long and diverse tail.
Mass compromise typically has a different model than kids dicking
around, or targeted attackers. Mass compromiser wants to target space
where they (ideally) frequently succeed at bruting or guessing a
password, where there is typically value living on the compromised
host, and where the hosting provider isn't keen to their activity, or
doesn't care (admittedly, that's most providers, and I don't blame
them. security isn't seen as a value add, they get paid to give a host
to you and the people you allow access to it, whether you meant to or
not. anything else ought to cost them money, if their model is
efficient) to put broad controls in place.
--
Kyle Creyts
Information Assurance Professional
BSidesDetroit Organizer