Full-year recap of honeypot data from 2002, following the pattern from 2001.
The annual shape
Q1: baseline. About 15,000 sources/quarter.
Q2: gradual increase. About 18,000.
Q3: Slapper plus residual Code Red. About 22,000.
Q4: BugBear plus continuing residuals. About 20,000.
Total for 2002 was lower than 2001 (which had the Code Red/Nimda explosion). The post-2001 baseline has been consistently elevated.
Attack mix
Dominant categories shifted slightly:
- HTTP-targeted: 55% (down from 60% in late 2001).
- SMB/NetBIOS: 18% (up from 15%).
- Mail-borne probes: 8%.
- SSH brute-force: 7%.
- Other: 12%.
The SMB increase is notable. SMB-targeted attack tools matured through 2002; the deployment is showing in scan patterns.
What this teaches
The baseline elevated; the mix is shifting toward SMB; major-incident frequency was lower than 2001 but residuals continue.
More as 2003 develops.