[IanGabes]

My team and i run some different honeypot solutions, and we base a lot of them off of cowrie. As pointed out by previous comments, most interactions are not so interesting, except for the fact that many cowrie based honeypots imitating IoT devices have their attackers running a simple script that pulls down a number of second stage binaries, for a variety of cpu architectures.

One downside to running software like cowrie is that generally speaking crawlers like shodan will be able to figure out that you are running a honeypot, and will have you fingerprinted in a hurry.

A better strategy for increasing the cost of an attack is actually implementing something i read about on HN called a ssh tarpit, where one can "hang" an incoming ssh connection indefinitely. A lot of the attacks on honeypots are automated, so instead of having a 3 second attack, one can waste the attackers time for about 30s to 1m on average as these scripts have very generous timeouts (and sometimes no timeouts at all).

[bediger4000]

I believe you're thinking of "endlessh" - https://nullprogram.com/blog/2019/03/22/

I have endlessh running on my internet-facing server. Here's the current suckers:

p222149-ipngn200203toyamahon.toyama.ocn.ne.jp:45763

14.33.133.188:59757

121.204.198.213:53240

I think all those have stayed connected for some days. But a lot scanners don't fall for it anymore. Since July 17th, I've had 60868 ssh connections, mean 195.817 sec, median 19.124 sec, max 886283.605 sec. The distribution is skewed much shorter than 10 days, however. Half the connections last less than 20 seconds, by eye around 15. 25% of the connections last between 30 and 40 seconds, and about 10% last around 50 seconds.

[tastroder]

> ssh tarpit

Interesting, like slow request attacks in reverse? Is that actually useful for something? It seems like that would just needlessly burn resources on your end. The majority of attacks on my instance seem to have come from other infected routers/devices/etc. that pretty much perform these attacks for free.

[IanGabes]

Depends on your goals! If you are defending a network, increasing the cost of attack is something we actively try to optimize for. It costs me next to nothing to hold a socket open and send a keep alive every 15 seconds or so, in addition to the extra threat intel from the initial connection.

You might have a point, and maybe i should try to turn these subjective feelings into harder metrics in terms of cost, but we have figured at this point it has a net good. If we slow the scanning down by a magnitude, in my opinion its a good thing!

[tastroder]

Ah, sure, if it works why not, I would have expected most scans being too distributed for this to have noticable impact. Thanks for the explanation.

[bediger4000]

Is there any research on what proportion of services (ssh, telnet, FTP, WordPress) have to be honey pots or tar pits for it to make a difference?

I've been running honey pots or tar pits for years out of a belief that anyone who can has an ethical duty to do so, to slow down the attacks on those who can't.

[IanGabes]

I havent seen anything terribly relevant, most of the thesis projects i have seen are more interested in creating realistic and believable honeypots for specific protocols, eg RDP.

In my experience, honeypots and tarpits are not the same sort of thing, and fufill different goals. Tarpits get you more utilitarian good, honeypots get you more representative threat intel.

[bediger4000]

Thank you, and good points. From the view point of increasing the utility of scanning for weak-password ssh ports, a honeypot and a tarpit are both entities the human setting up the scanning would like to avoid. I think that ultimately a human looking for easily-guessed ssh or telnet or whatever passwords would want to avoid tarpits and honeypots equally. They might have to code differently for a tarpit than a honeypot, but the goal would be to detect and avoid instances of both things. What proportion of "something to detect and avoid" would cause a scanner to be less than profitable, or just give up?

To illustrate: I've been giving the people that staff robocaller's "service centers" a hard time for years. I believe that my phone number is in some of their systems as a "bad actor" - I've occasionally heard an audible, computer-generated voice telling the "service rep" that this is a known troublesome number. They also occasionally hang up on me a sentence in to the script. I usually tell them I'm Edward Snowden, but you can call me Ed. That gets a hangup maybe 5% of the time. So giving them a hard time wastes their resources enough that at least a few boiler room/"service centers" put effort towards avoiding me, and the few others like me. What proportion of resource-wasters would it take to make them quit?