DShield Honeypot Log Volume Increase

    Published: 2025-07-14. Last Updated: 2025-07-14 18:58:30 UTC
    by Jesse La Grew (Version: 1)
    0 comment(s)

    The volume of honeypot logs changes over time. Very rarely are honeypot logs quiet, meaning that there are no internet scans or malicious activity generating logs. Honeypots can see large increases in activity [1], but this has tended to be the exception, rather than the rule. Within the last few months, however, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from my residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that I run and archive logs from frequently. 

     


    Figure 1: Log volumes for multiple honeypots over the last 13-14 months. Recent activity has drowned out earlier traffic volumes, making them appear nonexistent. 

     

    To help demonstrate that other logs do exist, the high volume contributors were filtered out. Any source network (/24 in size) that contributed more than 1,000,000 logs in a day was removed.


    Figure 2: Log volumes over time when filtering out sources that have contributed more than 1,000,000 logs in a day. 

     

    The source of the log volume has been from the web honeypot logs.


    Figure 3: Web honeypot log volumes have been the highest contributor for these outliers. 

     

    More activity can be seen earlier in the year when large volume contributors are taken out. Even though this allows us to see more data prior to April of 2025, there is still an obvious increase in the last few months. 


    Figure 4: Web honeypot logs for the last 13-14 months, factoring out sources that have contributed more than 1,000,000 logs in a single day. 

     

    Previous high volume periods are also unable to be seen easily due to the recent higher log volume. 


    Figure 5: Previous days considered to be anomalous in terms of high-volume traffic barely register in comparison to recent web honeypot logs.

     

    It has not been uncommon to see web honeypot files greater than 1 GB for a day of activity in the last couple of months. In the last few weeks, multiple honeypots have generated logs over 20 GB for one day of activity and for multiple days. In one day, a honeypot generated nearly 58 GB of web honeypot logs, which beat a previous "record" of ~35 GB.


    Figure 6: The volumes are increasing, but are also happening more often, demonstrated by a significant rise in the average size of locally stored web honeypot logs.

     

    So where are these logs coming from and what are they looking for? Since many source IP addresses were seen coming from overlapping subnets, the data was summarized by subnet. The data highlights that some subnets are focused on a small number of unique URL paths.

    Subnet Web Honeypot Hits Unique IP Count Unique URL Path Count Top IP Top URL Path
    45.146.130.0/24 20078392935 6 55 45.146.130.107 /
    179.60.146.0/24 15730010424 2 2 179.60.146.100 /__api__/v1/config/domains [2]
    185.93.89.0/24 4976900543 6 134 185.93.89.185 /
    204.152.199.0/24 4421115971 9 2 204.152.199.8 /
    72.11.141.0/24 4241370914 13 2 72.11.141.14 /
    96.47.225.0/24 3636730956 9 2 96.47.225.5 /
    185.193.88.0/24 3610407610 4 4 185.193.88.178 /__api__/v1/config/domains
    155.94.185.0/24 3165292268 9 2 155.94.185.3 /
    149.56.205.0/24 2718351438 1 3 149.56.205.13 /
    193.111.208.0/24 2517999488 1 3 193.111.208.87 /
    193.29.13.0/24 2248677302 1 2 193.29.13.44 /
    92.63.196.0/24 2204582018 5 4 92.63.196.179 /__api__/v1/config/domains
    80.82.65.0/24 927668585 3 3 80.82.65.127 /
    151.243.93.0/24 560421646 1 3 151.243.93.62 /
    79.141.162.0/24 527387481 1 3 79.141.162.39 /
    83.229.17.0/24 463243368 2 4 83.229.17.112 /
    91.199.163.0/24 447956151 1 2 91.199.163.102 /__api__/v1/config/domains
    141.98.80.0/24 174475074 22 3 141.98.80.136
    46.161.27.0/24 76298489 9 3 46.161.27.97 /
    80.243.171.0/24 68840696 1 18152 80.243.171.172 /
    171.22.28.0/24 60795298 2 2 171.22.28.30 /
    45.227.255.0/24 39617032 7 4 45.227.255.90
    184.105.247.0/24 33156996 46 7 184.105.247.252 /
    213.209.150.0/24 23439064 2 2 213.209.150.239 /
    204.76.203.0/24 17219727 15 1127 204.76.203.206 /
    198.7.119.0/24 14768235 2 5437 198.7.119.14 /index.php
    77.90.153.0/24 13968760 2 144 77.90.153.248 /
    185.218.84.0/24 12687799 13 4 185.218.84.178 /
    65.49.20.0/24 11897736 61 6 65.49.20.68 /
    74.82.47.0/24 9974952 61 6 74.82.47.3 /
    184.105.139.0/24 8966536 60 7 184.105.139.67 /
    111.170.18.0/24 8271554 1 1 111.170.18.49 api.ipapi.is:443
    185.91.127.0/24 7976326 10 27 185.91.127.66 myip.wtf:443
    216.218.206.0/24 6055214 61 6 216.218.206.66 /
    98.82.141.0/24 4647608 1 6724 98.82.141.184
    51.222.26.0/24 4598477 2 7029 51.222.26.42
    23.234.91.0/24 4454070 1 1 23.234.91.166 /
    5.183.209.0/24 3993952 1 6 5.183.209.244 /
    37.19.221.0/24 3922037 4 1 37.19.221.152 /
    149.50.103.0/24 3764760 1 1 149.50.103.48 /
    154.81.156.0/24 3665899 10 10 154.81.156.7 /
    207.167.67.0/24 3593126 7 6 207.167.67.206
    64.62.197.0/24 3456463 240 8 64.62.197.92 /
    207.180.204.0/24 3291942 1 6911 207.180.204.178
    124.198.132.0/24 2937813 14 1 124.198.132.155 /api/sonicos/is-sslvpn-enabled
    132.226.159.0/24 2878302 1 184 132.226.159.101
    84.247.172.0/24 2787287 4 6953 84.247.172.209 /index.php
    193.41.206.0/24 2764461 11 3170 193.41.206.24 /.env
    80.65.211.0/24 2463234 1 6767 80.65.211.20
    185.191.126.0/24 2379847 2 7 185.191.126.248 /
    87.236.176.0/24 2333336 252 4 87.236.176.117 /
    154.83.103.0/24 2276967 23 6369 154.83.103.106 /.git/HEAD
    132.226.122.0/24 2145978 1 184 132.226.122.74
    179.43.168.0/24 2088416 2 74 179.43.168.146 /
    191.252.194.0/24 1999452 1 6725 191.252.194.180
    65.49.1.0/24 1993183 232 8 65.49.1.94 /
    13.41.162.0/24 1933149 1 6725 13.41.162.60
    185.177.72.0/24 1919963 17 3864 185.177.72.111 /.git/HEAD
    179.43.161.0/24 1616473 2 1 179.43.161.218 /
    193.26.115.0/24 1595736 9 15 193.26.115.193 /api/sonicos/is-sslvpn-enabled
    84.201.151.0/24 1568962 1 1281 84.201.151.18 /index.php
    64.62.156.0/24 1519319 219 8 64.62.156.108 /
    75.119.147.0/24 1513333 1 6912 75.119.147.56
    139.144.52.0/24 1504276 1 569 139.144.52.241 /
    79.124.58.0/24 1503070 1 9 79.124.58.198 /
    31.220.89.0/24 1444043 1 6724 31.220.89.104
    157.245.174.0/24 1426128 1 53 157.245.174.148
    94.72.105.0/24 1420774 2 12531 94.72.105.70 /
    78.153.140.0/24 1346725 16 1372 78.153.140.179 /.env
    193.68.89.0/24 1332852 7 6 193.68.89.51 /
    45.148.10.0/24 1328615 33 347 45.148.10.235 /cmd,/simZysh/register_main/setCookie
    148.113.208.0/24 1308479 1 1 148.113.208.45 /
    141.98.11.0/24 1298067 49 811 141.98.11.128 /
    176.65.148.0/24 1217874 34 23 176.65.148.243 /
    84.201.170.0/24 1194041 1 3070 84.201.170.229 /
    84.201.181.0/24 1177504 2 1749 84.201.181.85 /
    162.62.233.0/24 1176321 1 1280 162.62.233.142
    45.84.89.0/24 1106375 2 1 45.84.89.2 /
    195.3.221.0/24 1063626 1 14 195.3.221.137 /
    158.160.162.0/24 1016033 1 8095 158.160.162.122 /

    Figure 7: Common URLs accessed by subnets, with overall subnet activity and the most active IP address for each subnet.

     

    URL Path Total Hits
    / 38,052,002,400
    /__api__/v1/config/domains [3] 33,198,670,474
    /__api__/v1/logon 1,635,235,500
    api.ipapi.is:443 8,270,636
    myip.wtf:443 7,914,843

    Figure 8: 5 Most common URL paths seen for active subnets. 

     

    There is a lot more data to look into, but this activity may require additional action for anyone hosting a honeypot and retaining additional logs. For me, I'm working on archiving more local logs more frequently to save space. This may mean doing high compression zipping of web honeypot logs, potentially twice a day. It may be necessary to consider having over 20 GB of logs per day for multiple days. If log backups and cleanup happen once per week, this may mean storage of 140 GB of just web honeypot logs between backups. 

     

    [1] https://isc.sans.edu/diary/Overflowing+Web+Honeypot+Logs/30416
    [2] https://isc.sans.edu/diary/Web+Scanning+SonicWall+for+CVE202120016+Update/31952/
    [3] https://isc.sans.edu/diary/31906
     

    --
    Jesse La Grew
    Handler

    Keywords:
    0 comment(s)
    ISC Stormcast For Monday, July 14th, 2025 https://isc.sans.edu/podcastdetail/9524

      Comments


      Diary Archives