The internet, as we all know, never sleeps, never takes any time off, and is active at all times of the day.
We tend not to see the inner workings of the internet while browsing marketplaces or online social media sites, but the truth is, there is so much happening behind the scenes which is beyond our awareness.
The public internet space is, well, public. While there are private networks and internal networks, for the most part the things you see online are part of the public internet space. This is where security problems can arise for the unwary. If something is put onto the public internet space then anyone can access that if the server allows it.
Bots
Automated computer scripts, which most people refer to "Bots" or "Robots", take a firm hold on the majority of attempted access alerts on systems. These are simply scripts left to run on a computer without any human interaction which are constantly searching for vulnerable systems.
Bots account roughly for 20.4% of daily web traffic - which is an insane amount of traffic by automated scripts if you think about it. So what are they up to? What are they doing on the internet?
A lot of bots serve a legitimate purpose, e.g. web crawling, scraping, SEO research... But many also serve illegitimate purposes. For example, many of the malicious bots will be scanning every single internet connected device every second looking for weak logins / passwords, security vulnerabilities and Zero-days (A Zero-day vulnerability is one which has not yet been discovered by the wider public but is being actively exploited).
With this in mind, I wanted to see what actually happens when you connect a device to the public internet, and yes, my ports were open (and welcoming!).
Honeypots
A honeypot is a means of deliberately attracting cyberattacks in order to understand cybercriminals, the attack vectors they use, and the threats they pose. The honeypot sits on the internet, waits for attackers, and captures information about them.
For a couple weeks I ran an SSH honeypot service which replicated a real ssh client, but little did the bots know it was in fact fake and was logging everything that was coming in.
This was running on the standard port for SSH (22) with weak credentials to allow attackers access. The point of this was to fool attackers into giving us the information we need to see the scope of the attack and for security researchers to find and "reverse engineer" new malware.
"a port is a 16-bit number that identifies one side of a connection between two computers. Computers use port numbers to determine to which process or application a message should be delivered. As network addresses are like street address, port numbers are like suite or room numbers" - Wikipedia
There are literally tens of thousands of ports assigned under the Internet Assigned Numbers Authority specifications. Here is a list of some of them just so you have an idea of how many services exist:
Here is the basic infrastructure of this honeypot network setup. As you can see it is only using 2 small servers currently:
- 1 * 4GB Ubuntu Command & Control Server
- 1 * 1GB Ubuntu Honeypot Node
I used Modern Honey Network as the code base, and installed this onto the main Command & Control server, which then listened for data sent from my Honeypot Node. Once I had set up the Cowrie SSH Honeypot onto the Node server, the Command & Control instantly started displaying attacks from my Honeypot node.
Within the first 24 hours, I had over 10,000 "connections" or "attacks" to port 22:
What this means is that my server (Ubuntu Honeypot Node) has had over 10,000 connection attempts in that time span, from all over the world! I suspect that most of these connections, if not all of them, are bots or "automated" computer scripts set to scan the whole internet for open SSH ports. My Honeypot is running with a fake SSH service on port 22 which tricks the attackers into connecting and trying to authenticate.
Because it fools attackers into giving away details, we are able to capture usernames, passwords and commands executed by attackers.
An example of some very useful information we can gather from this is lists of top usernames and passwords used by these automated bots to try and "break in" to insecure logins. Here is a chart of the top usernames and passwords I collected over a 24 hour period, pretty interesting stuff!
From this chart you can see the top username/password combination used by far is the "nproc/nproc" credentials.
Another amazing thing about the Modern Honey Network is that it gives you access to a tool called the "HoneyMap". This is a LIVE connection interface mapped to the globe so that you can see where all the live "connections", "attacks" are coming from. This is using the MaxMind GeoIP free database which is somewhat accurate to the nearest town.
Conclusion
In conclusion, the public internet is a busy place that is in constant communication. Any connected devices without the proper hardened security setup will be accessible to anyone at any time. It is so important to make sure that your public (and private!) services are locked down and hardened to prevent any accidental leaks or weak points in your security.
Next time I would like to dive into how to properly defend against these attacks and how organisations use this collected Honeypot data to analyse and predict attacks before they happen.
This concludes my first case study into the the importance of securing your network. I hope you have enjoyed reading this as much as I enjoyed writing it. I hope it given you some insider knowledge into what is actually going on in the world wide web behind the scenes.
References: