We made a Honeypot, Here is what we Learned

We made a Honeypot, Here is what we Learned

What is a Honeypot?

At its core, a honeypot is a deliberately crafted server designed to attract attacks. Typically, these honeypots are equipped with intentionally weak or vulnerable applications and services. This strategic approach empowers security teams and organizations to gain invaluable insights into the tactics employed by malicious actors. This early awareness provides an opportunity for these teams to proactively respond, fortify their defenses, and preemptively address vulnerabilities to thwart potential attacks on their genuine infrastructure.

In our particular scenario, we established a honeypot mimicking a Synology NAS (Network Attached Storage) device, complete with a publicly accessible login page. Additionally, we deliberately exposed vulnerable applications like TELNET and FTP on the host. These outdated and insecure protocols often serve as prime targets for malicious actors seeking opportunities to exploit lax security measures.

The Scary Details

Over the course of a month-long experiment with our honeypot server, we observed a noteworthy volume of intrusion attempts, with certain instances successfully breaching our intentionally vulnerable applications. Below, we present a breakdown of the pertinent statistics we gathered throughout this assessment:

  • 5,248 Unique IPs Recorded: Over five thousand unique IP addresses attempted to break into our honeypot server. Each of these IP addresses may have attempted to break into the system multiple times.
  • 3,345 Unique IPs Attempted Several Methods: Out of the five thousand IP addresses we observed, over three thousand of them tried multiple attack methods against our honeypot. We determined this by keeping track of destination ports.
  • 112 Successful Break-Ins: Only 112 of the tens of thousands of login requests were successful and considered a breach. We specifically designed our honeypot to have weak or default credentials.
  • 36 Requests to FQDN vs. IPv4: In total 36 requests were made to the FQDNs (domain names) we had linked to our honeypot IPv4 address. We made sure that our honeypot server was discoverable by scanner and other data scraping services to further associate it with our services.

How does AstroVPN Benefit?

AstroVPN is on a mission to create future infrastructure fleets similar to our successful experiment. This initiative aims to continuously gather the most current data on infected and malicious hosts across the vast internet. Our goal is to integrate real-time threat intelligence features into our products. One such feature we're working on is the ability to block these malicious hosts through our DNS service, Vortex, offering users enhanced cybersecurity control and protection.

Furthermore, we are eager to leverage this acquired intelligence to actively combat internet abuse. One of our key strategies involves contributing to initiatives like AbuseIPDB.com, where we can automatically report the IP addresses of malicious actors. By doing so, we play a vital role in bolstering the reputation scores of these offending IPs, helping to deter and prevent ongoing attacks within the digital landscape.

In conclusion, honeypots provide valuable insights into cyber threats, bolstering our commitment to cybersecurity at AstroVPN. Our experimentation with a simulated Synology NAS and our plans to expand infrastructure for real-time threat intelligence and DNS-based host blocking demonstrate our dedication to enhancing user security. We're equally committed to proactive internet abuse reporting, playing an active role in preventing cyberattacks. As we continue to evolve and innovate, our focus remains on delivering advanced cybersecurity solutions and fostering a safer digital environment for all.