top of page

A Quench for some Honey

A blog about a cyber honeypot botnet attack

                                       

                              

By: Paul Ronquillo

 Honeypot (n) - is a security mechanism that creates a virtual trap to lure attackers. An intentionally compromised computer system allows attackers to exploit vulnerabilities so you can study them to improve your security policies.

Introduction

This project was setup on a cloud based honeypot to analyze and learn malicious traffic happening on a network. The objective of a honeypot is to setup a system to intentionally look weak in order to lure attackers. Learning how attackers can try and compromise a network allows us to identify, classify, prioritize, remediate, and mitigate further attacks that can be done to a network. Some of the instruments or "gizmos" I used are on the right.

 

      By using an EC2 instance running Debian 10 on AWS, I was able to install the honeypot software and get this started.

AWS

Amazon Web Services provides on-demand cloud computing platforms and APIs to individuals, companies, and governments on a pay-as-you basis

Kibana

is used for log and time-series analytics, application monitoring, and operational intelligence use cases. 

AbuseIPDB

 AbuseIPDB is OSINT tool that helps combat the spread of hackers, spammers, and abusive activity on the internet.

Elastic

Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time.

SpiderFoot

A reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.

Gizmos

Logstash

Server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch

Technical Overview

First things first, I logged into my AWS account, went into EC2 instances, and got my T-pot server up and running.

 

T-pot was an excellent tool for this project because it provided 25 honeypots that all ran simultaneously. It also supplied me with ELK Stack which is a suite of tools that includes: Kibana, Elasticsearch, Logstash, and SpiderFoot. 

​

After getting my T-pot started, I left my EC2 instance running (Honeypot) and waited 8 hours to see how many and what kind of attacks could be done. . . 

 

(Scroll to see the stats)

​​

​

Attack Stats 

Only 1 was chosen to be further analyzed 

8

Hours

3K+

Attacks

10

Countries World Wide

bottom of page