Honeypot Statistics Week 2 & 3

December 2, 2023

This is a compilation of the last two weeks of traffic analysis. As always, this is a low-interaction honeypot that deploys FTP, SSH, Telnet, HTTP, HTTPS, IMAP, and VNC honeypots. Data is collected into a SIEM where it is correlated with location data and sent to a data visualization tool for report generation. Raw data is provided at the bottom of this post.

This past two weeks saw the United Kingdom as the top connecting country. This is largely due to the 88.91k connections from 144[.]126[.]206[.]248 on the VNC honeypot.

Despite this impressive number of connections, SSH remained the most targeted service with just shy of 150k connections. These were mostly performed by Chinese and U.S. addresses.

We were lucky enough to get some real directory traversal this time. However, it doesn’t seem like they know what they’re looking for with this bot.

The beautiful heat map is back as well, with connections from the previously mentioned VNC attacker and the classic Zhengzhou traffic dwarfing their respective surroundings.

Not much has changed from the previous week, but as always, the list of the top offenders is attached to this post. This is a CSV file with source addresses and targeted services sorted by connection count.