Honeypot Statistics Week #1

November 17, 2023

Honeypot statistics from November 10th – 16th. This is a low-interaction honeypot that is deploying FTP, SSH, Telnet, HTTP, HTTPS, IMAP, and VNC honeypots. Data is collected into a SIEM where it is correlated with location data and sent to a data visualization tool for report generation. Raw data is provided at the bottom of this post.

This week there have been 108.06k connections observed. Of this, there were 3196 unique addresses. They were primarily from China, the United Kingdom, and the United States. China made up 36% (38.84k) of all traffic.

SSH was the most targeted service, encompassing 65.59% (70.88k) of all traffic. This was followed by VNC at 17.96% (19.41k) and Telnet at 10.84% (11.72k).

The address with the most connections was 144[.]126[.][206[.]248 and they exclusively targeted VNC. This address made 18.71k, or 36.39% of all connections. It is located outside of London and is attributed with approximately 94% of all traffic from the United Kingdom.

Additionally, the most common authentication attempt was root:password, with 171 connections across all services attempting those credentials.

For HTTP and HTTPS connections, the most requested URI was ‘/’ with 447 requests. This was followed by /.env and /favicon.ico, at 55 and 52 requests respectively.

Digital Ocean, Tencent Net AP Shenzhen, and ChinaNet Backbone were the top 3 ASNs identified. Combined, they made up approximately 52% of all traffic.

The following heatmap displays all traffic to the honeypot.

The raw CSV data is below.