Writing

Honeypot summary — first half of 2006

By · Published
data honeyd honeypot operations research

Half-year summary of honeypot data for the first half of 2006. The cumulative archive is now nearly seven years deep; the patterns visible across years are increasingly informative.

This post is shorter than the equivalent in previous years — the role transition has limited the time available for detailed analysis — but the headline observations are worth recording.

The volume

Rough numbers from the /27 Honeyd deployment:

  • Total connection attempts H1 2006: roughly 35% increase over H1 2005.
  • Distinct source IPs per month: approximately 60,000 (up from 50,000 in H1 2005).
  • Sebek captures of human-attacker activity: 6 sessions in H1 2006 (similar to historical baseline).
  • Mass-mailing propagation attempts: roughly 25% increase, dominated by Mytob variants.

The overall volume continues growing. The mix continues shifting; the structural elements continue maturing.

The protocol mix

The H1 2006 mix shifted from H1 2005:

  • HTTP-targeted: 38% (down from 42%).
  • SMB/NetBIOS: 28% (up from 25%). Mocbot/MS06-040 contribution.
  • Mail-borne propagation: 16% (up from 14%). Mytob variants and related.
  • SSH brute-force: 10% (up from 8%). Continued professionalisation.
  • Web-application probing: 6% (up from 4%). Web-application worm category precursors.
  • Other: 2%.

The shift toward web-application probing is the structurally interesting development. Specific attackers are looking for web-application vulnerabilities at scale; the cumulative reconnaissance volume reflects the category emergence.

Sebek captures of note

Three captures from H1 2006 worth noting briefly.

A skilled-attacker session in March featuring careful enumeration, specific kernel-rootkit deployment, deliberate cleanup of on-host artefacts. Pattern matches the careful-attacker class I have been documenting since 2002. Specific subsequent forensic analysis is in progress.

A web-application reconnaissance session in May. The attacker compromised the host through standard exploitation but spent substantial time examining the host's web infrastructure rather than deploying conventional malware. The specific intent appears to be staging the host as a phishing-page hosting platform; my outbound filtering disrupted the workflow.

A specific botnet-builder session in June. Standard exploitation followed by IRC bot deployment, attempted plugin download, attempted scanning for additional targets. The patterns match the Phatbot/Agobot family I have been writing about; the cumulative behaviour is operationally familiar.

The captures reinforce specific patterns. Skilled-attacker activity continues at low but consistent volume; bot-builder activity dominates the automated spectrum; web-application reconnaissance is emerging as a distinct category.

What the cumulative data shows

Three observations visible across the multi-year cumulative archive.

The baseline activity continues to step up. Each year's baseline exceeds the previous year's. The cumulative compromised-host substrate produces ongoing scan and propagation traffic that does not fully decay.

Specific category shifts are visible. Web-application probing was negligible in 2003; meaningful in 2005; substantial in 2006. The category trajectory is structurally important.

The skilled-attacker proportion remains stable. Despite the broader threat-landscape evolution, the rate of careful-attacker captures is approximately constant across years. The skilled-attacker population is bounded; the broader threat landscape is dominated by automated activity.

The cumulative trajectory points toward continued growth in attack volume, continued category diversification, and continued importance of structural defensive disciplines.

What I am doing differently for H2

Two specific changes for the second half.

Continued sustained operation. The role transition has affected available time for detailed analysis but the underlying capture infrastructure continues. The cumulative archive grows regardless of analysis cadence.

Specific contribution to the broader Honeynet Project. Sanitised case studies from the captures continue to feed into the broader cumulative cross-operator analysis. Specific contribution this half is bounded by available time.

What I expect for H2 2006

Three predictions:

Continued elevated baseline. 95%. No structural change visible.

At least one major worm event. 60%. Specific Vista release, specific year-end incident pressure; the trajectory points toward specific events.

Continued web-application probing growth. 85%. The category trajectory will continue.

For my own continued operation: the discipline continues. The cumulative archive grows. Specific subsequent honeypot summaries will inform specific structural assessments.

More in time.

Back to all writing