I have a hard time believing those are all honeypots. I think it is more likely that deployment configurations (with LBs, proxies, etc) are more varied than the author expects. It doesn't surprise me at all that there are overlapping and missing indicators of different services exposed on a single port
Unfortunately, a lot of those are honeypots, even though the number might be unbelievable. A quick look on the first page shows this one[1] claiming to be a PHP web server serving a Java application(!), this other one[2] claims to be an embedded system web server, this one[3] claims that it's a streaming service, this one[4] claims its Mac OS X server (how long has it been obsolete again?)
And those are just the headers! Just taking a cursory look at [4], I can see it is claiming to be a ASP.net server being served by a TP-Link device on one port, all the while also being a QNAP device on another, and also another PHP application served through thttpd. All the while running on AWS...
My thoughts exactly after seeing how many Confluence servers were reporting as F5 devices. That's exactly what BIG-IP does...
I wouldn't conclude that to be a honeypot. If anything, BIG-IP and Confluence are frequently used by the same kinds of companies, so I would expect the majority of that first query to be real Confluence servers. Queries 2-4 probably did a better job filtering out real honeypots.
In reality, there might be about as many honeypots as there are real Confluence servers, which is still far too many, but not quite as extreme a disparity as suggested by the numbers in this article.
AI Honeypot network infrastructure generator (HoneypotGPT?) could be fantastic.
You could imagine it wasting the resources of hackers convincingly enough that it would water down the potential effect of hacking online generally. It could even make up fake internal documents and state secrets.
The other day I saw the retraction of a leak of customer data, on the grounds that the claimed data was very obviously from an LLM, which outsiders could trust wasn't just the company saying so because of things like "the email addresses don't match the people's names" and "the zip codes don't correspond to the states they're supposedly in".
Unfortunately, I can't remember the name of the place that denied the leak, which makes it hard to search for amongst the torrent of attacks that I find in search results.
> Why attribute to normal/boring/commodity tools that which can be attributed to "LLMS" and "AI" and "CHATGPT"?
Because they're really good at this, and even idiots can use them.
What I want to know is why people capitalise things that aren't acronyms or initialisms, e.g. "MAC"[0], "SWIFT"[1], the "S" in "LLMS", and the "HAT" in "CHATGPT" :P
[0] The brand which is a contraction of Macintosh, not to be confused with Medium Access Control or several other things.
[1] As in the language, not the Society for Worldwide Interbank Financial Telecommunication.
If it's this easy to filter honeypots, then the real folks that know what they are doing will already be doing this, and these honeypots are just going to be picking up details about amateur script kiddies.
The real folks already know what they're doing, but the majority of "attacks" aren't real folks who are determined to hit specific targets; it's people who just throw everything at the wall to see what sticks, and this is what the honeypots catch.
There is actually a report on the frontpage today about Russian SVR attacking pretty random vulnerable installations of JetBrains TeamCity. Even very "real" folks do these kind of opportunistic attacks.
A secondary issue here is that these are largely low quality honeypots that are easily avoided by actual attackers (and are avoided by many in practice) and solely seem to exist to fuck up statistical measurements.
I’ve ran honeypots, I still run some - it’s not hard to do properly. There’s hundreds of thousands of ones clogging up search results on Shodan, etc, though that are absolute rubbish
There's nowhere near enough honey pots. I'm running endless on my home server, and a WordPress "login" that just delays 5 seconds before denying on a VPS. I've run Cowrie and a full blown WordPress honey pot in the past.
If everyone who could did run honey pot(s) the scanners, spammers and bottom feeding low life's would find it unprofitable to do simple, dumb things. Same as if everyone picked up every phone call and chatted up the scammers.
The theory is that by chatting with the scammers, they have to expend resources (time, which is money) in order to attempt to scam you. This won't convert and thus reduces their capability to actually harm another individual.
I’ve done this a few times. A few years ago I got a call about some Microsoft Windows something or other and decided to play along. After 30min of hilariously bumbling through his steps I got on my high-horse and shamed them for hurting mostly vulnerable people, etc. For whatever reason, they didn’t hang up at my yapping and it evolved into an actual conversation. They talked about there not being any jobs, taking this one because it has the veneer a real tech support job and helped them practice English, earning enough so their young sibling(s) could attend school rather than work, long term career plans, etc. I half suspected I was being put on and would be hit up for money, but in the end we just thanked each other for sharing our perspectives and went on with our jobs. No real take away, but I still appreciate the small vignette into their daily life, or at least the story they told.
^^Bonus points if you pretend to be old. They're looking to prey on old/senile folks who don't know any better/can be easily confused. Their defense is always "they're rich Americans, they can afford it" but the reality is the folks they're preying on are more often than not on a fixed income and absolutely the most vulnerable of our population.
At the end of the day the number of instances that are publicly available is just clickbait in an article. What really matters is whether or not this is being actively exploited in the wild. I have my own issues with Clickbait and dramatization of vulnerabilities, but I don't think this is necessarily something that we should be concerned about (as-in I think that this vulnerability is pretty damn bad and should be patched, regardless of if there are 2k or 200k instances).
Sure some metrics around "number of instances out in the wild" will determine if threat actors put resources into developing mass-scale exploitation, but if you are patching for a company it doesn't REALLY matter.
If you are a target and are exploitable it doesn't matter how many honeypots are reporting as Confluence -- you will be breached if your Confluence server is vulnerable and exposed.
The best argument against honeypots would be that if we had some active group that was working with all affected users to patch and verify patches, if that was the case then the honeypots are a detractor. News outlets should do their best to get the best information, but this is the least-worst thing around vulnerability reporting IMO.
> Determining the number of internet-facing hosts affected by a new vulnerability is a key factor in determining if it will become a widespread or emergent threat. Are there a lot of hosts affected? Pretty good possibility things are about to pop off. Only a few hosts? Probably less likely.
> Understanding the scale of an issue is important, and therefore, being precise about the number of potentially impacted hosts is important too. Those who copy overinflated statistics or haven’t done their due diligence are making vulnerabilities appear more impactful than they truly are.
I don’t really understand the logic here. What does it mean for a vulnerability to “pop off?” I can see some argument for worrying about the number of “friends” you have in the vulnerable population in the case of something like a worm, since all of your “friends” are potential attackers. But for normal vulnerabilities you should fix it regardless of the popularity. Who cares if it becomes widespread?
And of course any effort wasted in honeypots is great.
Measuring accurately how many hosts are vulnerable to a particular attack is important for companies who sell security consulting or security protection services.
That may have a positive effect, like being tarpit for bad players (that should be more than "legal" vulnerability scanners). If that slows down them enough with attractive enough false positives it may protect a bit the real exposed ones.
These aren't just confluence honeypots though. They serve multiple combinations of headers as I described in my other comment[1], so that they can catch the most amount of attackers.
