Attack now
Attacks to date

2016-03-20 21:32:12

Author: Willie Stevenson

ssh honeypot security

I have a few VPSs over at Digital Ocean. They are, and have been, a great cloud vm provider for hosting small projects. Check them out here or via my referral link here. Anyway, to get to the real matter, Digital Ocean is a hosting company with many data-centers, which means they own IP space. Who owns what IP space is almost always public data. If you do a little digging you can usually obtain this information fairly easily. If you do a whois on digitalocean, you get the following:

Nothing particularly useful regarding what IP space Digital Ocean owns, however we find that the domain was registered through Network Solutions and that Digital ocean is affiliated with New York in some way. If you do a Google search you will find that they headquartered there and primarily based in America. So, with this information, let's consult our friends over at the American Registry for Internet Numbers (ARIN). They may be able to provide us with some better information. Fire up Chrome and search "arin digital ocean". Then click the ARIN affiliated link.

Here we begin to find some useful information. We begin to find net ranges, possibly data-center identifiers (DIGITALOCEAN-4), and AS Numbers. AS numbers are numbers that are assigned to (multiple) blocks of IP space that are controlled under a large network operator, for example, an ISP (you can learn more about AS numbers on wikipedia). However, let's take a look at information regarding the company through its ORG-ID DO-13 first.

Here we find nothing new. We basically find the same information that our whois query returned. However, we do get a related networks link at the bottom. We are interested in networks, so let's click that.

Bingo. We have found exactly what we are looking for. This is a list of IP space that Digital Ocean uses, DIGITALOCEAN-X probably relating to a specific data-center. Now this is all good and merry and everything, but let's think about this for a second. Since this information is public data, Digital Ocean and data-centers alike could become a target of attack. Just look at what happened to Linode, but...that's another story. So, everybody owning a Digital Ocean instance including me, and in fact everybody connected to the internet has the chance of being attacked. But I know you already know this information. I won't bore you with it.

I once took a cybersecurity class at my university. My professor at the time during the beginning of the semester introduced us to shodan and another interesting net reconnaissance site norsemap. I almost couldn't believe how many attacks were occurring on a regular basis.

Fast-forward two years and I've gotten myself into web development/cyber security. One day a few months back, I decided to implement a smaller scale version of norsemap. I was really interested in seeing if connected devices really do get attacked as often as the internet, news, norsemap, say we do. So based on the premise that digital ocean has multiple data-centers who's IP space we all know just waiting to be attacked, I decided to setup an ssh honeypot with a live feed into it.

Almost instantly I was attacked.

The beginning of the log (opened in sublime)

If you do a lookup on that IP, it resolves to somewhere in China. Figures. It only further proved what the internet and the news had been saying. Some of the log is pretty interesting. I will share my findings with you.

He just wouldn't quit.

Diffie-hellman-group-exchange-sha11 ... interesting? ... very interesting.....

He's still going at it 100,000 ssh attempts later. However this time he choses to use ... many interesting sites as passwords. Make sure to hop on a vpn and disable javascript before browsing there if you choose to :)


Brute force/dictionary attack

A dictionary attack. There are a plethora of these.

Sometimes even more interesting to see is the user names they try to use. I was curious, so I popped that IP into the browser.

Hilarious. Even more hilarious is this:

Wait, wait, wait. What is this?

A public facing router. I was hoping I wouldn't encounter one of these.

Red Hat Linux servers. Hm.

It just doesn't get old.

The time I got pwned by XSS

This was a fairly odd password. So, I looked it up.

Now I know where some of these attacks come from.

So, there's more, but, those are my findings in a nutshell. You can find graphs and other statistics here and here.

Since release, which was three months ago, there have been over 1,000,000 ssh attempts into my VPS. It's been real interesting to see what kind of results I've obtained. I've had hosts from .edu domains and amazon ec2 instances attack me, and I've even been ddosed, twice. And I'm just a nobody minding my business on the internet. It just goes to show what kind of attacks connected devices are under.