[IanGabes]

I havent seen anything terribly relevant, most of the thesis projects i have seen are more interested in creating realistic and believable honeypots for specific protocols, eg RDP.

In my experience, honeypots and tarpits are not the same sort of thing, and fufill different goals. Tarpits get you more utilitarian good, honeypots get you more representative threat intel.

[bediger4000]

Thank you, and good points. From the view point of increasing the utility of scanning for weak-password ssh ports, a honeypot and a tarpit are both entities the human setting up the scanning would like to avoid. I think that ultimately a human looking for easily-guessed ssh or telnet or whatever passwords would want to avoid tarpits and honeypots equally. They might have to code differently for a tarpit than a honeypot, but the goal would be to detect and avoid instances of both things. What proportion of "something to detect and avoid" would cause a scanner to be less than profitable, or just give up?

To illustrate: I've been giving the people that staff robocaller's "service centers" a hard time for years. I believe that my phone number is in some of their systems as a "bad actor" - I've occasionally heard an audible, computer-generated voice telling the "service rep" that this is a known troublesome number. They also occasionally hang up on me a sentence in to the script. I usually tell them I'm Edward Snowden, but you can call me Ed. That gets a hangup maybe 5% of the time. So giving them a hard time wastes their resources enough that at least a few boiler room/"service centers" put effort towards avoiding me, and the few others like me. What proportion of resource-wasters would it take to make them quit?