The role of the Internet is continuously increasing and many technical, commercial, and business transactions are carried out by a multitude of users who exploit a set of specialized/sophisticated network applications. In this context, the task of network monitoring and surveillance is gaining great relevance and honeypots represent promising tools to get information, and understanding about the 'areas of interests' of attackers, as well as about the possible relations among 'blackhat' teams. The paper presents and discusses the results achieved by a group of honeypots deployed within the networks of the Department of Communication, Computer and System Science at the University of Genoa. The collected statistics, measured over 4-month long period, reveal that approximately 10 000 different attackers, coming from 130 different countries, have 'contacted' the honeypot system and that about 60 000 TCP distinct connections have logged in. Our high-interaction honeypot has counted more than 25 000 attempts to access a ssh server, thus permitting to trace many attempts to install rootkits. A comparison with results obtained by similar researches carried out in other laboratories is presented and commented.
Monitoring unauthorized internet accesses through a ‘honeypot’ system
MARCHESE, MARIO;ZAPPATORE, SANDRO
2011-01-01
Abstract
The role of the Internet is continuously increasing and many technical, commercial, and business transactions are carried out by a multitude of users who exploit a set of specialized/sophisticated network applications. In this context, the task of network monitoring and surveillance is gaining great relevance and honeypots represent promising tools to get information, and understanding about the 'areas of interests' of attackers, as well as about the possible relations among 'blackhat' teams. The paper presents and discusses the results achieved by a group of honeypots deployed within the networks of the Department of Communication, Computer and System Science at the University of Genoa. The collected statistics, measured over 4-month long period, reveal that approximately 10 000 different attackers, coming from 130 different countries, have 'contacted' the honeypot system and that about 60 000 TCP distinct connections have logged in. Our high-interaction honeypot has counted more than 25 000 attempts to access a ssh server, thus permitting to trace many attempts to install rootkits. A comparison with results obtained by similar researches carried out in other laboratories is presented and commented.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
