- Could you please tell how you identify IP address belonging to ‘yellow’ and ‘green’ types? Because we also have such honeypot, and we are interested in extracting ‘yellow’ and ‘green’ type IP addresses.
Short answer here:
I am identifying the yellow and green types by analyzing the incoming attack patterns for similarities to attacks that came from the 4 sshPsycho IP address ranges. These are the “Gold” standard. Just to be clear, those IP address ranges are the following four class C subnets: 103.41.124, 103.41.125, 43.255.190, 43.255.191. These are the Red portions of the bar chart.
The yellow portions of the bar chart are what I am calling “Friends of sshPsycho”. These are IP addresses that have used the exact same attack pattern for at least one attack as an attack that came from sshPsycho.
Another way of saying this is that I have analyzed the data from the attacks to create what I call an “Attack Pattern”. I have then broken these attack patterns into individual files on my server. I can then compare ALL of the attack patterns to easily determine which ones are exactly the same. sshPsycho used the same exact attack patterns multiple times in their attacks.
So, if I see the same attack pattern from a different host, I know that whoever is running the attack from that server has received the tools and the dictionaries they are using from sshPsycho. I am calling those IP addresses “Friends of sshPsycho” since I do not KNOW if they are the same people or not. (My feeling is that they are the same group of hackers.)
Green attacks are what I call “Associates of sshPsycho”. In English this implies a more distant relationship. To clarify, in English the cloessness of a relationship goes from Self -> Spouse -> Family -> Friends -> Associates.
I have analyzed the sshPsycho attacks and have determined several characteristics that only appear in their attacks. I have also characterized their typical attack patterns.
Specifically, the only places I have seen the passwords “XXXXXX” and “YYYYYY” come from was from sshPsycho. Again, I have never seen those passwords come from any place besides China and Hong Kong, and mostly from sshPsycho IP addresses. (I am not specifically mentioning WHICH two passwords they are just to make it a little harder for the bad guys to figure out which two passwords to stop using, but it’s also kind of obvious if you look at the data hard enough).
When I see those passwords, AND it is an attack against ONLY root, I list them as “Associates”. Coincidentally these have only come from China.
As sshPsycho was being blocked from their main servers, I saw the amount of blue go up in my charts significantly. This indicates to me that they are still active but using new IP addresses to attack from. By coloring this set of attacks as green, I was able to show this belief that they are somehow connected to sshPsycho.
There is still a higher than normal number of blue attacks. Those are attacks from IP addresses that are either other hackers than sshPsycho, or are IP addresses that have not yet shown they are associated with sshPsycho.
As these attacks continue I believe I will be able to move more of the blue IP addresses into the green or yellow sections of the chart.
HOW AM I DOING THIS?
That’s too hard to explain in a blog entry. I am (slowly) working on a paper to discuss this issue. I basically group all attacks against a single host that are closely connected in time and calling that an attack pattern. When there is too much of a gap between attacks, I close the attack pattern and start a new one.
Based on the number of exactly the same attack patterns that I have seen from sshPsycho from multiple IP addresses, I believe it works.