John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi
Many malicious activities on the Web today make use of
compromised Web servers, because these servers often have
high pageranks and provide free resources. Attackers are
therefore constantly searching for vulnerable servers. In this
work, we aim to understand how attackers find, compromise,
and misuse vulnerable servers. Specifically, we present heatseeking
honeypots that actively attract attackers, dynamically
generate and deploy honeypot pages, then analyze logs
to identify attack patterns.
Over a period of three months, our deployed honeypots,
despite their obscure location on a university network, attracted
more than 44,000 attacker visits from close to 6,000
distinct IP addresses. By analyzing these visits, we characterize
attacker behavior and develop simple techniques to
identify attack traffic. Applying these techniques to more
than 100 regular Web servers as an example, we identified
malicious queries in almost all of their logs.
Copyright is held by the International World Wide Web Conference Committee (IW3C2). Distribution of these papers is limited to classroom use, and personal use by others. WWW 2011, March 28–April 1, 2011, Hyderabad, India. ACM 978-1-4503-0632-4/11/03.