In today’s Internet, a plethora of services are, intentionally or unintentionally, publicly accessible. Further, many publicly accessible services are not sufficiently updated. This puts them at risk as attackers that use Internet-wide port scanning to discover such services can exploit vulnerabilities in old software.
Honeypots are purposely insecure systems, placed on the Internet to lure attackers and collect information. We set up a infrastructure consisting of six AWS honeypot instances and an analysis VM. We log and analyze who is scanning the Internet, particularly Internet of Things (IoT) services. So far, we identified multiple scanners and their tools used, and classified different scanning behaviors.
With Patchwatch, we collect data to analyze how different sectors handle the patching process of services. We actively scan the IPv4 space for hosts with Internet-connected services, collecting version information. We use fingerprinting, e.g., certificate information, to track hosts with dynamic IPs. So far, we analyzed, e.g., the update frequency of different services and possible vulnerabilities.
We aim to conduct advanced analyses focusing on correlations between scanning activities logged on our honeypots and the scanning picture obtained through active scans. By merging our Honeypot and Patchwatch data, we aim to gain a better understanding of overall scanning activities:
Task Outline: