4

I have a port forwarding rule sending 23 traffic to a "honeypot" (called "comp" below). Throughout the night, many bots from around the world attempted to connect, but there was no service running.

Now, I wrote a C program that just binds to 23, accepts a connection, and exits. When a bot scans, Wireshark shows the following failed handshake for most connection attempts:

bot --> comp (SYN, port 23)
comp --> bot (SYN, ACK)
(sometimes): comp --> bot (TCP retransmission)
             ... (may have several retransmissions)
bot --> comp (RST)    (sometimes happens immediately after the SYN, ACK)

I have seen one successful bot connection, but most attempts result in the above. I know that the program is working because when I telnet with my Android on 4G (i.e. outside the LAN), the normal three-way handshake occurs, followed by an immediate FIN, ACK from my "honeypot", as expected.

Why do many of the bot connection attempts fail? The bots can't possibly tell that it's not a real telnet service before they even finish connecting?

Edit: Also, they sometimes send another SYN immediately after the RST, and then that handshake proceeds successfully.

Vale132
  • 305
  • 1
  • 5
  • Try to log those access and see from what country comes based on GeoIP location ;) Just out of curiosity... We have a lot of those scans on an internet facing ftp server –  Jan 13 '17 at 09:57
  • @nwildner Yep, this is my first time doing honeypot-like things and it's fun to watch. Based on GeoIP (or at least one site's version of it), most of them are supposedly from China, Vietnam, Romania, and Ukraine. Probably ~20 per hour total from those countries, and this is just my home router. So far I've only had 1 port 21 scan (over 36 hours). – Vale132 Jan 13 '17 at 20:54

1 Answers1

4

They are performing port scans, not trying to establish a connection.

This specific scanning technique is called a SYN scan. The idea is that you don't have to complete the entire TCP handshake to find out if a port is open. A SYN scan is often preferred to establishing a full connection because it's faster and less noticeable. From the nmap guide:

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. [...]

This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered.

You can try to reproduce this behavior by attempting a SYN scan yourself using nmap and checking the Wireshark results:

nmap -sS yourhost

The bots can't possibly tell that it's not a real telnet service before they even finish connecting?

Correct, the disadvantage of this technique is that they can't really fingerprint the service. All they know is that the server has accepted a connection at that port.

Community
  • 1
Arminius
  • 43,922
  • 13
  • 140
  • 136
  • Excellent, thanks. So the ones that immediately send a SYN after their RST have discovered that the port is open and would like to send me something? – Vale132 Jan 12 '17 at 21:47
  • @Vale132 Yes, after figuring out that the port is open they likely try connect to find out more. You will probably see that they still don't send any data and just wait for a banner to see if they recognize the service running (e.g. a vulnerable telnet server version). – Arminius Jan 12 '17 at 21:53