The other day a friend of mine shared a link to a new academic paper that was just released by a couple of researchers at the University of Cambridge. The team, Alexander Vetterl and Richard Clayton, wanted to see if they could create a technique to identify publicly accessible honeypots without having to actually interact with them. For anyone not familiar with the term, a honey pot is a system that is purposely left exposed in one or more manners with the hope of identifying people attempting to access it. Defenders use them to find people who may be looking around their networks, while researchers and security professionals use them to detect new and innovative techniques are are being used across the Internet. The bottom line though is that in order for the honey pot to be effective, it’s important for people to not realize that it is a honey pot.
In order to accomplish this task, the team conducted a huge number of experiments to detect the very subtle differences between how a honeypot hands connection attempts vs the legitimate software that the honeypot is trying to emulate. Take for example when a SSH connection packet is purposely malformed. OpenSSH handles the error with the message “Bad packet length) while Kippo, a popular SSH honeypot instead uses the message “bad packet length”. The while difference is extremely subtle (a capital ‘B’) it is enough to betray itself to an attacker before they have had to do anything to actually expose themselves to the honeypot. By doing this, the team was able to craft a specific connection attempt for SSH, telnet, and http that with a very high degree of accuracy was able determine if a system was legit or a honeypot.
After this was done, the team went about scanning the majority of the Internet and detected 7,605 instances of a honeypot across 6,125 IP addresses. Of the honeypots identified, 2,844 were SSH, 1,429 were telnet and and 2,616 were HTTP. Within the US, the majority (1,358 of them) were located on Amazon Web Services while DigitalOcean and Google Cloud were also popular options. It is important to note that these are only honeypots that are publicly accessible from the Internet, not a system that is internal to a network.
The paper is well written and a pretty fast read with some really good information. I would encourage anyone who is interested in honeypots or even just cyber security to spend a few minutes and read it. The paper can be found at https://www.cl.cam.ac.uk/~amv42/papers/vetterl-clayton-bitter-harvest-woot-18.pdf