[VOIPSEC] Honeypot Information Expanded

J. Oquendo sil at infiltrated.net
Sun Oct 17 12:19:36 EDT 2010

For those interested in more honeypot/attacker information,
I am trying to clean up data from my Arkeos honeypot to
list the number an attacker is calling, what type of
hardware and or software they're using, NAT information,

Right now there is a huge volume of information on these
honeypots (est 3200 attempted calls per month) so I think
that I will begin with newly created data as opposed to
sorting out previous data (tens of thousands of calls.)

So what does this mean to you and why should you care?

The admin/operator:
Detailed list of attackers' connections and the numbers
they're calling. Allows you to modify your dialplans if
necessary, create FW rules, etc.

The researcher:
Allows you to see first hand what types of tricks some
attackers use when registering phones, calling numbers,
inserting digits, etc.

The law enforcement agent(cy):
Gives you visibility on the attackers costing our
companies hundreds if not millions of dollars in losses
via compromised machines

The attacker:
Let's you know that you are being watched and eventually
you will either give up, get caught, or hopefully someone
will track you down with a baseball bat in hand.

The only data that is modified is the information of the
honeypots themselves. Their addresses, the extensions
that are compromised. All information is sync'ed with
via NTP using EST.

http://www.infiltrated.net/voipabuse/logs (see attempted
calls from attackers near the end of page)


J. Oquendo

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E

More information about the Voipsec mailing list