[floobertoober]

I have a hard time believing those are all honeypots. I think it is more likely that deployment configurations (with LBs, proxies, etc) are more varied than the author expects. It doesn't surprise me at all that there are overlapping and missing indicators of different services exposed on a single port

[supriyo-biswas]

Unfortunately, a lot of those are honeypots, even though the number might be unbelievable. A quick look on the first page shows this one[1] claiming to be a PHP web server serving a Java application(!), this other one[2] claims to be an embedded system web server, this one[3] claims that it's a streaming service, this one[4] claims its Mac OS X server (how long has it been obsolete again?)

And those are just the headers! Just taking a cursory look at [4], I can see it is claiming to be a ASP.net server being served by a TP-Link device on one port, all the while also being a QNAP device on another, and also another PHP application served through thttpd. All the while running on AWS...

[1] https://www.shodan.io/host/44.204.245.187

[2] https://www.shodan.io/host/13.246.35.40

[3] https://www.shodan.io/host/16.171.64.23

[4] https://www.shodan.io/host/44.204.245.187

[KingOfCoders]

I'm stupid, so please be patient, who puts up these honeypots? WHy are they there? (I know in principle what a honeypot is)

[chronid]

I do, and I'm not a security researcher (not really).

If nothing else, it's fun to see who pokes you, even if I don't actually follow up on it.

[KingOfCoders]

Thanks!

[MyNameIs_Hacker]

Conspiracy Theory: The proliferation of honeypots is due to secret government contracts attempting to corrupt the usefulness of Shodan and the like.

[datadrivenangel]

Automated Chaff for the information age.

[achillean]

Note that all of them have been flagged as honeypots by Shodan (see the "Tags" section below the IP in the top left).

[RIMR]

My thoughts exactly after seeing how many Confluence servers were reporting as F5 devices. That's exactly what BIG-IP does...

I wouldn't conclude that to be a honeypot. If anything, BIG-IP and Confluence are frequently used by the same kinds of companies, so I would expect the majority of that first query to be real Confluence servers. Queries 2-4 probably did a better job filtering out real honeypots.

In reality, there might be about as many honeypots as there are real Confluence servers, which is still far too many, but not quite as extreme a disparity as suggested by the numbers in this article.

[omoikane]

Maybe they are actually real Confluence servers pretending to be honeypots. It's like the iocaine powder scene from Princess Bride.

[kazinator]

Is it at all possible that some widely deployed security product has a Confluence honey pot as a standard feature?