Trapping Attackers Without Nyan Cat

As of a little over two weeks ago I’ve stopped offering the service I’ve described in an earlier blog post. Someone™ managed maxing out my server’s resources by establishing as many connections as possible and keeping them open for hours. Eventually my hoster sent me an email about unusually high resource usage. After a reboot everything was back to normal, but I didn’t feel like allowing this to happen again, so I shopped for a more efficient SSH honeypot.

endlessh fits the bill. It does as little work as possible, yet wastes the unsuspecting attacker’s time in a rather sneaky way: By sending an infinite SSH banner. The downside is that you won’t ever find out what kind of software the attacker is using since it doesn’t proceed beyond that stage. I was curious how well it works in practice, so I collected logs for two weeks, wrote a bit less than 100 SLOC of Ruby to do basic statistics and plotted the overall distribution with gnuplot.

Hosts: 21286
Unique hosts: 1665
Total time wasted: 17 days, 2 hours, 51 minutes and 40 seconds
Max time wasted: 7 days, 9 hours, 19 minutes and 39 seconds
Average time wasted: 20 minutes and 38 seconds
Total bytes sent: 43.6M
Max bytes sent: 1.1M
Average bytes sent: 2.1K
Max connections established: 58
Greatest netsplit: 47

Top 10 hosts:
  112.***.***.***: 12160 connections
   58.***.***.***: 2427 connections
  218.***.***.***: 1792 connections
   58.***.***.***: 358 connections
  195.***.***.***: 174 connections
  185.***.***.***: 109 connections
  222.***.***.***: 65 connections
  223.***.***.***: 58 connections
  115.***.***.***: 52 connections
  180.***.***.***: 51 connections