Detect Me If You... Oh Wait. An Internet-Wide View of Self-Revealing Honeypots

Shun Morishita, Takuya Hoizumi, Wataru Ueno, Rui Tanabe, Carlos Hernandez Ganan, Michel van Eeten, Katsunari Yoshioka, Tsutomu Matsumoto

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

27 Citations (Scopus)
564 Downloads (Pure)


Open-source honeypots are a vital component in the protection of networks and the observation of trends in the threat landscape. Their open nature also enables adversaries to identify the characteristics of these honeypots in order to detect and avoid them. In this study, we investigate the prevalence of 14 open-source honeypots running more or less default configurations, making them easily detectable by attackers. We deploy 20 simple signatures and test them for false positives against servers for domains in the Alexa top 10,000, official FTP mirrors, mail servers in real operation, and real IoT devices running telnet. We find no matches, suggesting good accuracy. We then measure the Internet-wide prevalence of default open-source honeypots by matching the signatures with Censys scan data and our own scans. We discovered 19,208 honeypots across 637 Autonomous Systems that are trivially easy to identify. Concentrations are found in research networks, but also in enterprise, cloud and hosting networks.
While some of these honeypots probably have no operational relevance, e.g., they are student projects, this explanation does not fit the wider population. One cluster of honeypots was confirmed to belong to a well-known security center and was in use for ongoing attack monitoring. Concentrations in an another cluster appear to be the result of government incentives. We contacted 11 honeypot operators and received response from 4 operators, suggesting the problem of lack of network hygiene. Finally, we find that some honeypots are actively abused by attackers for hosting malicious binaries. We notified the owners of the detected honeypots via their network operators and provided recommendations for customization to avoid simple signature-based detection. We also shared our results with the honeypot developers.
Original languageEnglish
Title of host publication2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019
Number of pages10
ISBN (Electronic)9783903176157
Publication statusPublished - 2019
Event16th IFIP/IEEE International Symposium on Integrated Network Management 2019: Intelligent Management for the Next Wave of Cyber and Social Networks - Washington, United States
Duration: 8 Apr 201912 Apr 2019


Conference16th IFIP/IEEE International Symposium on Integrated Network Management 2019
Country/TerritoryUnited States


Dive into the research topics of 'Detect Me If You... Oh Wait. An Internet-Wide View of Self-Revealing Honeypots'. Together they form a unique fingerprint.

Cite this