Detecting Large Scale Automated Attacks Using Honeynet Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- The last few years have seen a steady rise in the occurrence of large scale automated attacks. A large number of zombie computers which are part of a single botnet which has a number of compromised hosts can be utilized to launch attacks against specific class of Internet users such as enterprises, academic campuses, web servers, and home users. In this paper, we focus on detection of large scale automated attacks .Honey nets can become a great tool for detection of automatically spreading malwares.

The current experimental setup was deployed with three windows machines to study the methodology of large scale automated attacks performed by malwares which can be executed automatically in a particular scenario. We deployed three machines one with a web server and a hosted website and two windows XP machines with similar configurations so as to simulate a small network.


Automated attack includes an intelligent and autonomous programs or code, which can run on a computer and spread through networks without user intervention. Automated attacks usually spread to other networks with the help of worms. Worms are similar to biological virus in self replicating and propagation behaviours

Signs of an automated attack are as follows:

• Several different types of attack, in quick succession

• Exploits not designed specifically for the platform attacked

• The same attack tried over and over again in quick succession, without changing any parameters

• Typing too fast to be done by person, without any typos

• Exploit code used is specific for the platform attacked

Signs of a Manual attack:

• Random typos in commands, with a lot of retyping

• Random periods of time between different mechanisms of attack

• Signs of prior intelligence gathering (such as pinging or port scans)


There are number of methods used by malware to propagate further, e.g. usb devices other propagation strategies like e-mail. Therefore, we can only give a lower bound for the amount of autonomous spreading malware in our environment.

The usage of honey pots allows us to carry out a study like this without privacy issues: since the honey pot is just a network decoy which should not receive any network connections at all, any interaction with the honey pot is malicious by definition.

Fig1 shows the flow of our detection model, Data from various honeypots is captured on a honeywall ,The data includes two main components Network Activity and Host Activity, We segregated Scanning activity and Download activity, Data from both the activities are correlated ,For correlation we use time window ,After the attack profiles are extracted we categorize them into automated and manual attacks.






Honey net Flow Data + Sebek Data

Scanning Download Sebek Logs

Network Activity Host Activity


Attack Categorization

Automated Attacks

Manual Attacks

Fig:1 Detection Model Flow


Management Interface (walleye)




Virtual Environment





Three-system virtual


Fig:2 Experimental Setup

We have used three virtual honey pots based honey net tested system which has following main components:


A Honey wall is the honey net gateway used to implement data control and data capture. Normally it operates as a layer two bridge between the honey pots in your honey net, and your production network. This is one of the most critical elements of a honey net.

Management Interface

Honey wall management interface is a web interface and has all the functionality of the Dialog Menu and more. Not only can it be used for administration, but for full system data analysis Walleye means the web based user interface that is used for Honey wall administration, configuration, and data analysis

Three system virtual Honey pots

Three Virtual Honey pots are deployed which are connected through a virtual switch to honey wall and Management interface .Two Windows XP machines with similar configuration and one windows 2003 Advanced Server machine.

Fig:3 Sudden Rise In Number of Connection after

system gets infected


Our analysis process starts form Management interface, Once the system gets infected huge activity is reported from the IP xxx.129.220.204 as the machine gets infected starting from thousands of connection per hour, Activity increases to lakhs of connections per hour this acts as a triggering point for our analysis.

From the triggering point we started inspecting the alerts through our Management interface and found the IP xxx.129.140.142 tries to infect our three honeypots at same time 14:43:42 this also points to the fact that it is automated attack.

Fig:4 Single IP Trying to infect three honeypots at same time

As such a huge number of connections are made to our honeypots to and fro and xxx.129.220.204 is also performing a large number of scans to other pc we assumed that some malware is downloaded as huge activity is reported on ports 135,445, 139 etc and as these are ports which are most commonly exploited by the automated malwares, which was shown in my previous case study.

Total No of connections

xxx.129.220.202: 515

xxx.129.220.203: 517

xxx.129.220.204: 474884

From no of connections we observed that infected honeypot is xxx.129.220.204

Ports on which maximum communication took place: 135, 445,139

Honeypot Infected :xxx.129.220.204

Forensic analysis of infected machine is performed

1 Malware binary found

Name : : unwise_.exe

Size: 139 KB

MD5: 59617f9be33989ba12e6fb2ca5bd4e42

Ports on which maximum communication 135,445,139

Port on which most outbound scanning is performed 445


The system gets attacks, scans and probes on following ports just before it gets infected.

Top Attacked Ports

Fig:5 Top Attacked Ports

Activity Performed by honeynet after it gets infected

Fig:6 Outward Scans performed by the system after getting infected


Validation of Results is done as we installed Bothunter which confirms that two windows XP Machines gets infected by

To study behavior of malware infected machine we used BOTHUNTER

Bot Hunter shows the malware download source IP(egg Source IP) and some activity performed by Infected machine(xxx.129.220.204) It Became infected and become BOT it try to infect other machines

After some time all our three machines got infected and become bot

Above stated malicious IP xx.21.41.66 is egg source IP found by bot hunter



Machines gets request from automated malware infected PC's in the network and this continues until the machine gets infected.

Two windows xp machines gets infected at same time if there were 10 machines in network they would also get infected at same time and large army of zombie machines is ready to attack other system.

A huge traffic is generated when one machine gets infected, if a number of machines get infected at same time it can easily choke the network.

This experiment also gives insight to large scale coordinated attacks on a network.