Heat-seeking Honeypots: Design and Experience

John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi


Many malicious activities on the Web today make use of

compromised Web servers, because these servers often have

high pageranks and provide free resources. Attackers are

therefore constantly searching for vulnerable servers. In this

work, we aim to understand how attackers find, compromise,

and misuse vulnerable servers. Specifically, we present heatseeking

honeypots that actively attract attackers, dynamically

generate and deploy honeypot pages, then analyze logs

to identify attack patterns.

Over a period of three months, our deployed honeypots,

despite their obscure location on a university network, attracted

more than 44,000 attacker visits from close to 6,000

distinct IP addresses. By analyzing these visits, we characterize

attacker behavior and develop simple techniques to

identify attack traffic. Applying these techniques to more

than 100 regular Web servers as an example, we identified

malicious queries in almost all of their logs.


Publication typeInproceedings
PublisherWWW 2011
> Publications > Heat-seeking Honeypots: Design and Experience