9

I have set up a honeypot, but I am not happy with the low traffic load and I would like to trigger much higher traffic levels.

What methods would attract high bot activity? These are the ideas I have right now:

  1. incorporate Google Dorks into the honeypot
  2. add multiple entries of the honeypot IP on Pastebin (I know there are scripts that scrape Pastebin for IPs)
  3. add the IP to various public forums (like the methods used by spammers use to advertise sites)
  4. create multiple free websites (Blogger, etc.) that cross-link to each other and the honeypot
  5. use SEO to gain attention by search engines
  6. advertise the honeypot IP on social networks (twitter, google+, facebook)

What else should I look at? What of the above will have low success?

I know that this is a duplicate of Setting up a honeypot but I am focused on just the 'traffic' facet of that user's question.

Thank you.

Community
  • 1
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Is this purely an HTTP and/or HTTPS honeypot or are you hoping to attract attack traffic aimed at other ports and services? Also, what are you hoping to learn from the attacks? Zero-day exploits, malware samples, C&C servers, spam samples or just a list of known bad IP addresses to block on your main site? Attackers and spammers look for different things depending on their needs. – Ladadadada May 09 '12 at 02:02
  • It's a low interaction HP that responds to various ports. I want to analyze the traffic patterns. I am not hoping to build an IP blacklist for a main site. – schroeder May 09 '12 at 04:23
  • Be concious that advertising honeypots the wrong way may have legal consequences. Honeypots are logging users activity: there are laws regulating this. Are you encouraging people to hack this IP? Be careful this may not be taken as an encouragement toward illegal activities. More information on the subject can be found [in this question](https://security.stackexchange.com/q/88879/32746). – WhiteWinterWolf Aug 31 '15 at 10:15

2 Answers2

2

I would suggest that for a basic honeypot (such as a simple Dionaea setup) the one way to increase traffic would be to increase the number of I.P. addresses pointing at the honeypot.

I'm sceptical that the non-targeted attacks such a honeypot is looking to attract would benefit from listing the I.P. address publicly. I believe that their will be attractive and busy I.P. ranges (universities? certain countries?) and less attractive busy I.P. ranges.

Andy Smith
  • 2,742
  • 18
  • 24
2

If anything, there are several different types 'prey' you can attract. First, there are tons of bots out there automatically running port scan on different ip ranges to enumerate vulnerable services. So, to attract bots and such, it's important to look like a "old and injured prey." Run as many vulnerable services as possible to attract attacks from those bots. One caveat is some providers to upstream blocking. So, if you're running your honeypot on such a provider network, you may not see these scans.

If you want to be subject to "script kiddie" type attacks, then posting your IP on boards as well as a massive flaming campaign on boards/IRC rooms will help you attract attention.

bangdang
  • 1,824
  • 11
  • 9
  • It looks like I get high quality hits without any advertising at all. There are just simply that many random scans going on that every IP gets logged by some bot somewhere for analysis .... – schroeder Jun 29 '12 at 03:23