Comparitech researchers set up honeypots on the web to lure in attackers and record their actions. They recorded 73,000 attacks in 24 hours.
The honeypots were left unsecured so that no authentication was required to access and attack it. Using this method, Comparitech researchers sought to find out which types of attacks would occur, at what frequency, and where they come from.
In total, researchers recorded more than 73,000 attacks in a 24-hour period, or 51 attacks per minute. Back in 2007, an University of Maryland study recorded 2,244 attacks per day, a fraction of hat Comparitech researchers recorded in 2021.
Researchers found brute force SSH attacks were by far and aw the most common against the honeypot the researchers set up. SSH, or Secure Shell, is an encrypted protocol used to remotely access computers, manage servers and execute scripts. Here is a breakdown of the top attack types recorded:
- SSH brute force – Attempts to guess the passphrase for access to a server (57,763)
- TCP/UDP attacks – Attacks on services that use these protocols and packets. (5,237)
- Credential stealers – Malware scans the victim device for passwords and authentication tokens (4,094)
- RDP hijacking – Microsoft’s Remote Desktop Protocol can be compromised, giving attackers full remote control over a Windows device (2,204)
- Shellcode attacks – Attacks that attempt to remotely execute attacker’s code on the victim device, usually to exploit a software vulnerability (2024)
- ADB attacks – Attacks that leverage unsecured Android Debug Bridges, a command-line tool for Android devices including phones, streaming devices, and smart TVs
- Cisco ASA CVE exploitation or DoS – A specific attack that targets unpatched Cisco devices.
- Web attacks – Mostly attackers stealing credentials from web pages
- SMTP attacks – attacks on email servers and clients.
The top three ports attacked in descending order were 5900 (VNC), 22 (SSH), and 443 (HTTPS).
About 98% of the attackers' originating IP addresses were already in publicly-available blacklists. Researchers recorded attempts at unauthorized access from bots and crawlers (3), mass scanners (85), Tor exit nodes (101), and some disreputable IPs flagged by our monitoring tool (614). About two-thirds of the attacks came from unknown operating systems, which includes Macs among others. Of those we do know, 9.5% came from Windows devices, and 17.5% came from Linux devices.
Tracing an attack back to a specific country is a bit dubious, as many, if not most, attackers will use proxies to hide themselves. That being said, here’s the breakdown of attackers’ originating IPs by country:
- China – 32%
- Russia – 19%
- USA – 15%
- France – 7%
- Singapore – 5.5%
- Ireland – 5.5%
- Brazil – 4%
- Ukraine – 4%
- India – 4%
- South Korea – 3%
For the full blog and more findings, please visit https://www.comparitech.com/blog/information-security/honeypot-computer-study/