Initial analysis of four million login attempts
09 Sep 2016 Johnny Vestergaard analysis heralding honeypot
Introduction
This blog post is a follow up to an earlier article, where I set out to conceive a system that could deliver the data needs to answer 5 specific questions.
The setup
To provide the data needed for this analysis, my setup consisted of 4 VPS situated respectively at Amazon EC2, Azure, MeeBox and a Danish ISP end-user connection. Even though the same 4 VPS were used throughout the data collection, 6 different IP addresses were used for the honeypots - the reason for this was that one of the honeypots had a dynamically assigned IP address. As mentioned in an earlier article all honeypots were running Heralding. The technical setup was automated with ansible.