This is a continuation of my previous posting on botnets that propagate through remotely exploitable vulnerabilities.
Tag Archives: honeypot
Using Honeypots to Sniff and Snuff out Botnets, part 1
In recent years, honeypots have seemed to fall out of favor with security researchers. The reason for this is pretty straightforward - a classic honeypot (a single IP running vulnerable services) or honeynet (a honeypot on multiple IPs) will only catch attacks that actively attempt to propagate. These attacks could be similar to a loud worm like Blaster, Gimmiv, Slammer, etc, or they could be a less noisy attack such as a bot that will only scan a local subnet.
Why am I to presume that there aren't enough researchers employing honeypots and honeynets? Simple - the botnets that use these types of attacks to spread have not had their controllers (C&Cs) fluctuate locations (IPs) in months or more. Of course, this lapse in abuse notifications is on me as well, but I hope to rectify the situation by notifying the offending upstream providers relentlessly going forward.
