DShield Honeypot Log Volume Increase
The volume of honeypot logs changes over time. Very rarely are honeypot logs quiet, meaning that there are no internet scans or malicious activity generating logs. Honeypots can see large increases in activity [1], but this has tended to be the exception, rather than the rule. Within the last few months, however, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from my residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that I run and archive logs from frequently.
Figure 1: Log volumes for multiple honeypots over the last 13-14 months. Recent activity has drowned out earlier traffic volumes, making them appear nonexistent.
To help demonstrate that other logs do exist, the high volume contributors were filtered out. Any source network (/24 in size) that contributed more than 1,000,000 logs in a day was removed.
Figure 2: Log volumes over time when filtering out sources that have contributed more than 1,000,000 logs in a day.
The source of the log volume has been from the web honeypot logs.
Figure 3: Web honeypot log volumes have been the highest contributor for these outliers.
More activity can be seen earlier in the year when large volume contributors are taken out. Even though this allows us to see more data prior to April of 2025, there is still an obvious increase in the last few months.
Figure 4: Web honeypot logs for the last 13-14 months, factoring out sources that have contributed more than 1,000,000 logs in a single day.
Previous high volume periods are also unable to be seen easily due to the recent higher log volume.
Figure 5: Previous days considered to be anomalous in terms of high-volume traffic barely register in comparison to recent web honeypot logs.
It has not been uncommon to see web honeypot files greater than 1 GB for a day of activity in the last couple of months. In the last few weeks, multiple honeypots have generated logs over 20 GB for one day of activity and for multiple days. In one day, a honeypot generated nearly 58 GB of web honeypot logs, which beat a previous "record" of ~35 GB.
Figure 6: The volumes are increasing, but are also happening more often, demonstrated by a significant rise in the average size of locally stored web honeypot logs.
So where are these logs coming from and what are they looking for? Since many source IP addresses were seen coming from overlapping subnets, the data was summarized by subnet. The data highlights that some subnets are focused on a small number of unique URL paths.
Subnet | Web Honeypot Hits | Unique IP Count | Unique URL Path Count | Top IP | Top URL Path |
---|---|---|---|---|---|
45.146.130.0/24 | 20078392935 | 6 | 55 | 45.146.130.107 | / |
179.60.146.0/24 | 15730010424 | 2 | 2 | 179.60.146.100 | /__api__/v1/config/domains [2] |
185.93.89.0/24 | 4976900543 | 6 | 134 | 185.93.89.185 | / |
204.152.199.0/24 | 4421115971 | 9 | 2 | 204.152.199.8 | / |
72.11.141.0/24 | 4241370914 | 13 | 2 | 72.11.141.14 | / |
96.47.225.0/24 | 3636730956 | 9 | 2 | 96.47.225.5 | / |
185.193.88.0/24 | 3610407610 | 4 | 4 | 185.193.88.178 | /__api__/v1/config/domains |
155.94.185.0/24 | 3165292268 | 9 | 2 | 155.94.185.3 | / |
149.56.205.0/24 | 2718351438 | 1 | 3 | 149.56.205.13 | / |
193.111.208.0/24 | 2517999488 | 1 | 3 | 193.111.208.87 | / |
193.29.13.0/24 | 2248677302 | 1 | 2 | 193.29.13.44 | / |
92.63.196.0/24 | 2204582018 | 5 | 4 | 92.63.196.179 | /__api__/v1/config/domains |
80.82.65.0/24 | 927668585 | 3 | 3 | 80.82.65.127 | / |
151.243.93.0/24 | 560421646 | 1 | 3 | 151.243.93.62 | / |
79.141.162.0/24 | 527387481 | 1 | 3 | 79.141.162.39 | / |
83.229.17.0/24 | 463243368 | 2 | 4 | 83.229.17.112 | / |
91.199.163.0/24 | 447956151 | 1 | 2 | 91.199.163.102 | /__api__/v1/config/domains |
141.98.80.0/24 | 174475074 | 22 | 3 | 141.98.80.136 | |
46.161.27.0/24 | 76298489 | 9 | 3 | 46.161.27.97 | / |
80.243.171.0/24 | 68840696 | 1 | 18152 | 80.243.171.172 | / |
171.22.28.0/24 | 60795298 | 2 | 2 | 171.22.28.30 | / |
45.227.255.0/24 | 39617032 | 7 | 4 | 45.227.255.90 | |
184.105.247.0/24 | 33156996 | 46 | 7 | 184.105.247.252 | / |
213.209.150.0/24 | 23439064 | 2 | 2 | 213.209.150.239 | / |
204.76.203.0/24 | 17219727 | 15 | 1127 | 204.76.203.206 | / |
198.7.119.0/24 | 14768235 | 2 | 5437 | 198.7.119.14 | /index.php |
77.90.153.0/24 | 13968760 | 2 | 144 | 77.90.153.248 | / |
185.218.84.0/24 | 12687799 | 13 | 4 | 185.218.84.178 | / |
65.49.20.0/24 | 11897736 | 61 | 6 | 65.49.20.68 | / |
74.82.47.0/24 | 9974952 | 61 | 6 | 74.82.47.3 | / |
184.105.139.0/24 | 8966536 | 60 | 7 | 184.105.139.67 | / |
111.170.18.0/24 | 8271554 | 1 | 1 | 111.170.18.49 | api.ipapi.is:443 |
185.91.127.0/24 | 7976326 | 10 | 27 | 185.91.127.66 | myip.wtf:443 |
216.218.206.0/24 | 6055214 | 61 | 6 | 216.218.206.66 | / |
98.82.141.0/24 | 4647608 | 1 | 6724 | 98.82.141.184 | |
51.222.26.0/24 | 4598477 | 2 | 7029 | 51.222.26.42 | |
23.234.91.0/24 | 4454070 | 1 | 1 | 23.234.91.166 | / |
5.183.209.0/24 | 3993952 | 1 | 6 | 5.183.209.244 | / |
37.19.221.0/24 | 3922037 | 4 | 1 | 37.19.221.152 | / |
149.50.103.0/24 | 3764760 | 1 | 1 | 149.50.103.48 | / |
154.81.156.0/24 | 3665899 | 10 | 10 | 154.81.156.7 | / |
207.167.67.0/24 | 3593126 | 7 | 6 | 207.167.67.206 | |
64.62.197.0/24 | 3456463 | 240 | 8 | 64.62.197.92 | / |
207.180.204.0/24 | 3291942 | 1 | 6911 | 207.180.204.178 | |
124.198.132.0/24 | 2937813 | 14 | 1 | 124.198.132.155 | /api/sonicos/is-sslvpn-enabled |
132.226.159.0/24 | 2878302 | 1 | 184 | 132.226.159.101 | |
84.247.172.0/24 | 2787287 | 4 | 6953 | 84.247.172.209 | /index.php |
193.41.206.0/24 | 2764461 | 11 | 3170 | 193.41.206.24 | /.env |
80.65.211.0/24 | 2463234 | 1 | 6767 | 80.65.211.20 | |
185.191.126.0/24 | 2379847 | 2 | 7 | 185.191.126.248 | / |
87.236.176.0/24 | 2333336 | 252 | 4 | 87.236.176.117 | / |
154.83.103.0/24 | 2276967 | 23 | 6369 | 154.83.103.106 | /.git/HEAD |
132.226.122.0/24 | 2145978 | 1 | 184 | 132.226.122.74 | |
179.43.168.0/24 | 2088416 | 2 | 74 | 179.43.168.146 | / |
191.252.194.0/24 | 1999452 | 1 | 6725 | 191.252.194.180 | |
65.49.1.0/24 | 1993183 | 232 | 8 | 65.49.1.94 | / |
13.41.162.0/24 | 1933149 | 1 | 6725 | 13.41.162.60 | |
185.177.72.0/24 | 1919963 | 17 | 3864 | 185.177.72.111 | /.git/HEAD |
179.43.161.0/24 | 1616473 | 2 | 1 | 179.43.161.218 | / |
193.26.115.0/24 | 1595736 | 9 | 15 | 193.26.115.193 | /api/sonicos/is-sslvpn-enabled |
84.201.151.0/24 | 1568962 | 1 | 1281 | 84.201.151.18 | /index.php |
64.62.156.0/24 | 1519319 | 219 | 8 | 64.62.156.108 | / |
75.119.147.0/24 | 1513333 | 1 | 6912 | 75.119.147.56 | |
139.144.52.0/24 | 1504276 | 1 | 569 | 139.144.52.241 | / |
79.124.58.0/24 | 1503070 | 1 | 9 | 79.124.58.198 | / |
31.220.89.0/24 | 1444043 | 1 | 6724 | 31.220.89.104 | |
157.245.174.0/24 | 1426128 | 1 | 53 | 157.245.174.148 | |
94.72.105.0/24 | 1420774 | 2 | 12531 | 94.72.105.70 | / |
78.153.140.0/24 | 1346725 | 16 | 1372 | 78.153.140.179 | /.env |
193.68.89.0/24 | 1332852 | 7 | 6 | 193.68.89.51 | / |
45.148.10.0/24 | 1328615 | 33 | 347 | 45.148.10.235 | /cmd,/simZysh/register_main/setCookie |
148.113.208.0/24 | 1308479 | 1 | 1 | 148.113.208.45 | / |
141.98.11.0/24 | 1298067 | 49 | 811 | 141.98.11.128 | / |
176.65.148.0/24 | 1217874 | 34 | 23 | 176.65.148.243 | / |
84.201.170.0/24 | 1194041 | 1 | 3070 | 84.201.170.229 | / |
84.201.181.0/24 | 1177504 | 2 | 1749 | 84.201.181.85 | / |
162.62.233.0/24 | 1176321 | 1 | 1280 | 162.62.233.142 | |
45.84.89.0/24 | 1106375 | 2 | 1 | 45.84.89.2 | / |
195.3.221.0/24 | 1063626 | 1 | 14 | 195.3.221.137 | / |
158.160.162.0/24 | 1016033 | 1 | 8095 | 158.160.162.122 | / |
Figure 7: Common URLs accessed by subnets, with overall subnet activity and the most active IP address for each subnet.
URL Path | Total Hits |
---|---|
/ | 38,052,002,400 |
/__api__/v1/config/domains [3] | 33,198,670,474 |
/__api__/v1/logon | 1,635,235,500 |
api.ipapi.is:443 | 8,270,636 |
myip.wtf:443 | 7,914,843 |
Figure 8: 5 Most common URL paths seen for active subnets.
There is a lot more data to look into, but this activity may require additional action for anyone hosting a honeypot and retaining additional logs. For me, I'm working on archiving more local logs more frequently to save space. This may mean doing high compression zipping of web honeypot logs, potentially twice a day. It may be necessary to consider having over 20 GB of logs per day for multiple days. If log backups and cleanup happen once per week, this may mean storage of 140 GB of just web honeypot logs between backups.
[1] https://isc.sans.edu/diary/Overflowing+Web+Honeypot+Logs/30416
[2] https://isc.sans.edu/diary/Web+Scanning+SonicWall+for+CVE202120016+Update/31952/
[3] https://isc.sans.edu/diary/31906
--
Jesse La Grew
Handler
Comments