Many malicious activities on the Web today make use of

compromised Web servers, because these servers often have

high pageranks and provide free resources. Attackers are

therefore constantly searching for vulnerable servers. In this

work, we aim to understand how attackers find, compromise,

and misuse vulnerable servers. Specifically, we present heatseeking

honeypots that actively attract attackers, dynamically

generate and deploy honeypot pages, then analyze logs

to identify attack patterns.

Over a period of three months, our deployed honeypots,

despite their obscure location on a university network, attracted

more than 44,000 attacker visits from close to 6,000

distinct IP addresses. By analyzing these visits, we characterize

attacker behavior and develop simple techniques to

identify attack traffic. Applying these techniques to more

than 100 regular Web servers as an example, we identified

malicious queries in almost all of their logs.

PDF file

Publisher  WWW 2011
Copyright is held by the International World Wide Web Conference Committee (IW3C2). Distribution of these papers is limited to classroom use, and personal use by others. WWW 2011, March 28–April 1, 2011, Hyderabad, India. ACM 978-1-4503-0632-4/11/03.

Details