Leger Research Fondation

Fondation de recherche Léger

Are you being hacked: Results of one week of home HoneyPot data.

In early April, I installed a HoneyPot on my home network for a period of one week. My home network is connected to the Internet using the Cable Modem service provided by Videotron, a large ISP in Quebec. I was quite surprized to note that I had 12079 attempts to connect or send attacks to my home computer network. A summary of my results are provided in the following table.
 

Table 1: summary of the results

What is a honeyPot ?

A honeypot, a name inspired from Winnie the Poo, is a device that can be installed on a network to catch intruders. Purposely made to be enticing to an intruder or computer system cracker, it give the impression that multiple TCP-IP ports are open on computers that can be reached through a network, in this case the Internet. Honeypots have basic intrusion detection capabilities built into them in order to collect information on the intrusion attempts. It can be viewed as a form of entrapment. The Open Source product I used to perform this test is HoneyBot, from Atomic Software Solutions (http://www.atomicsoftwaresolutions.com/ ). Please note that I have no connection to this company and found the product by doing a Google search.

So who is attacking me ?

Interestly, most trafic was attemps to display Windows messages on my computer via ports 1026, 1027 and 1028. These messages where intended at having me purchase a Registry Cleaning software. A simple Google search indicates that this may be a form of Internet Scam. There where also many attempts o connect to TCP-IP port 21, the port used by FTP servers. Other ports frequently accessed where ports 22, 1434, 2967, 5900, 8000 and 8555.

By doing a Whois on the source IP address, I was able to find out that a large portion of the packets appeared to come from within Canada, through addresses allocated to Shaw Communications and COGECO. Most likely, based on my personal experience, I would suspect thay originate from compromised computers acting as relays, also called zombies. However, I identified a large number of attempts from China, South Korea and Iran. Attempts where made from France, USA, China and Iran. Individual is Iran and China made several attempts to connect to port 21 (FTP) on my Honeypot.

Should you be concerned ?

I think this should deeply concern all legitimate users of the Internet, I know I am. This is potentially a big problem, which I reported to the Royal Canadian Mounted Police (RCMP), via their online fraud reporting service. They have not responded. As well, I complained to my ISP, Videotron, who has not responded to my email.

The following table provides a sample of some of the offending IP addresses.