INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
The strange case of Great honeypot of China
Published: 2023-04-17
Last Updated: 2023-04-17 08:44:28 UTC
by Jan Kopriva (Version: 1)
Looking at changes that the internet as a whole goes through over time can be quite edifying. Since old servers are being decommissioned and new ones are being added all the time, the internet “landscape” can change significantly even over the course of a year or several months.
Because very few of us have ever had access to our own Carna botnet or other solution, which would enable us to periodically scan the entire public IP space, we have to depend on information provided to us by specialized services (e.g., Censys or Shodan), which conduct such scans on our behalf, to learn of these changes.
Since we are dependent on these third-party services, which are, from our viewpoint, basically “black boxes”, any large spikes that may be seen in data gathered from them may be the result of a real, rapid change in the public IP space, or the result of misconfiguration or error in some internal mechanism used by these services. And, unfortunately, it is not always easy to say which is which… Which holds true even for a recent spike in the number of honeypots that Shodan detected.
As I mentioned in some of my previous Diaries, I use my TriOp tool to periodically gather significant amounts of data from Shodan about the global internet landscape, as well as about the situation in different countries. Among other information, I use the tool to gather the number of devices that Shodan classifies as “medical” systems, which are accessible from the internet, and a few weeks ago, a script that I use to identify significant changes in the data started to generate daily notices about a sharp relative increase in such systems in China (and, several days later, about a corresponding relative increase on a global level).
Read the full entry:
https://isc.sans.edu/diary/The+strange+case+of+Great+honeypot+of+China/29750/
HTTP: What's Left of it and the OCSP Problem
Published: 2023-04-13
Last Updated: 2023-04-13 14:43:37 UTC
by Johannes Ullrich (Version: 1)
It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP.
Looking at the top TCP ports in my network:
325900 443
38191 22
31006 23
25884 80
22025 53
HTTPS is by far the top port (and most of the 22/23 connections are likely for my honeypot, and so are many of the port 80 connections.)
So let's dive into a bit more detail on my zeek HTTP logs. I use the JSON format for zeek logs and will use the "jq" tool to parse them instead of the usual "zeek-cut" tool.
Read the full entry:
https://isc.sans.edu/diary/HTTP+Whats+Left+of+it+and+the+OCSP+Problem/29744/