2019 was a great year at the Stratosphere Laboratory! In this shot blog post we wanted to show some stats about our Aposemat IoT Project and the hardware honeypots we installed last year!
Aposemat is a project focused on IoT devices and infections, and is supported by the Computer Science Department of the Czech Technical University and Avast Antivirus Software. Last year we installed 5 hardware IoT honeypots in our lab, and we have a dozen honeypots running Cowrie and other honeypot tools. From these devices we capture their traffic, and ingest it on our monitoring system (Splunk). This blog will focus only on the five hardware honeypots.
On these five hardware honeypots we currently receive more than 1M attacks daily. We got attacks from all over the world. In 2019 we received more than 14 million attacks. The map below shows where the attacks were originated.
Our IoT honeypots were attacked from all over the world. This map shows where the attacks originated from.
As we mentioned above, we received 14.8M attacks, out of which 10M were established connections. Counting the established connections is interesting as we can distinguish connection attempts (port scans for example) and actual successful connections.
Our monitoring shows that out of the 14M attacks, 10M were successful connections to our honeypots.
Nowadays most of the attacks we see are automated. This is somehow reflected on the average duration time of the connections. Our stats show that in average connections rarely last more than 3 minutes. There are however exceptions. We observed long connections, sometimes lasting almost one hour. Similarly, most IoT bots attacking log in to a service and attempt to download something once inside, that’s why the largest data transfer by attackers does not go over 66Kb.
Most of the attacks seen nowadays are automated, this is reflected in the duration of connections and data transfer.
The top list of offending countries bring no surprises: Russia, Vietnam, India, USA and Brazil are in the head generating almost half of the total observed attacks.
Top attacking countries in 2019.
Is interesting to see the top 10 attacking IPs and the differences between all connections and only established connections. Most IPs are the same, however their places on the rank are moved a little. Some IPs may be doing other types of attacks, such as port scans.
The list of attacking IPs. All connections (left) and only established connections (right).
The top 5 services attacked are 445 (SMB), 80 (Web), 5000 (Unknown, we are looking into this), 23 (telnet), 22 (SSH).
For a full list of attacking IPs, feel free to check and download our AIP Blacklist, a blacklist that forgets!
https://www.stratosphereips.org/attacker-ip-prioritization-blacklist
Check our Aposemat project page for all the other IoT related projects and research lines we are working on!
