Q3 2003 honeypot patterns
Q3 2003 honeypot summary.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged honeypot — 13 results.
Honeypot annual recap: 2002
Full-year recap of honeypot data from 2002.
Honeypot Q3 2002 patterns
Q3 2002 has been a relatively quiet quarter for the honeypot. A short summary of what was observed.
Honeypot maintenance and the discipline of not changing things
The honeypot has been running steadily for over a year. The discipline of not changing things — leaving the configuration alone unless there is a clear reason — has been more useful than I had expected.
Honeypot annual recap: 2001
A full-year recap of honeypot data from 2001. The patterns across the year tell a clearer story than any single quarter did.
First quiet week of the year
A quiet first week of the year. A short post on what I have been doing in the absence of any major news.
Honeypot Q3 patterns
Q3 was the busiest quarter the honeypot has ever seen. A summary of the patterns observed across Code Red, Nimda, and the surrounding noise.
Sebek captures from the Nimda window
The Nimda outbreak produced a substantial volume of Sebek captures from my honeypot. A walk through what the captures show about the post-Nimda compromise environment.
Sebek captures: a careful attacker, observed
A capture from my Sebek-instrumented honeypot reveals an unusually careful attacker. A walk through what they did, what we observed, and what defenders should know.
Honeypot v2 progress: Sebek deployed
Following the honeypot range expansion, I have deployed the Sebek kernel module on the high-interaction host. A short note on the deployment and on what it captures.
Honeypot range expansion: from one IP to a /28
I have expanded the honeypot from a single IP to a small range using Honeyd. The change has dramatically improved the visibility I have into scanning patterns.
Cumulative honeypot analysis: six months of captures
Six months of honeypot operation has produced enough data to write a structured analysis. The patterns of attacker behaviour, ranked by frequency, with the defensive implication for each. This is the longer writeup I committed to.
Distributed scanning, observed at length
Three months of careful observation of scan traffic against my honeypot has revealed a pattern: most of the scans hitting random IPs come from coordinated networks of compromised hosts, not individual attackers. The implications are significant.