"Fingers" of honeypots

Some families of malware use specific commands to calculate traps that are not fully emulated by honeypots. Attackers are constantly changing their fingerprint analysis methods to bypass virtual machine detection protection technologies. These technologies allow you to detect when attackers are checking for a honeypot and return fake data to trick them into thinking the trap is the real system. For example, one malware family reads the contents of /proc/cpuinfo to determine the type and family of the processor: most Cowrie solutions use the same processor architecture.

Work under high loads

Opening access to a popular port (for example, 21.22.23.80) from the Internet will almost immediately lead to connection attempts from various hosts, and the longer the port is left open, the more bots will try to infect the service. For a static IP address running the same service for over twelve months, the infection rate (the number of sessions trying to install malware on the honeypot host) was about 4,000 in 15 minutes. Attacking IP addresses are not unique and we have observed that a single attacker tries to infect a machine many times.

A large number of connections places a significant load on both the network and the trap emulation stacks. In our experience, Cowrie can handle 10,000 sessions at once on a single honeypot. For heavily loaded systems, load balancing across multiple Docker containers at the kernel level can be a solution, which is easily implemented using the netfilter module built into the kernel.

"Residential" and "corporate" IP addresses

Our telemetry data suggests that the most advanced botnet operators check the AS-name of the network and target primarily IP addresses belonging to ISPs that serve the private sector. The reason is clear: if the router has an IP address that belongs to, for example, Amazon or DigitalOcean, it may turn out to be a virtual private server (VPS) and not a home router.

Long-term use of the same IP address

It is important to change the trap IP addresses periodically. Botnet owners themselves try to track honeypots, so after a while the public IP addresses of the traps become known to cybercriminals and the number of attacks on them decreases. In addition, we believe that lists of honeypot IP addresses are being sold on the dark web.