Normally I would say it's nothing to really see here, because it's not uncommon to see something like this. What is curious is that the majority is originating from China. Nah, not curious, that is damn interesting. Also damn interesting is that Norse is flagging them as unknown. Usually when it's just script kiddies it knows what's going on.
EDIT: So I decided to do a little digging. It appears Norse creates a honeypot to mimic specific network destinations to entice attacks. So, what we're seeing isn't an attack on a 'target' so much as Norse's honeypots being activated.
From their CTO: "We have a very large honeypot, where we have, at any given time, over 5m emulations towards the Internet. Meaning we emulate over 5m users, servers, infrastructures on the Internet. We mimic a bank. We put in place honeypots to mimic Microsoft Exchange servers, Linux systems, ATMs. We try to mimic as much as we can of the infrastructure online to make it look attractive to be attacked."
They also have administrative offices in St Louis and have admitted to having a lot of their honey pot location in the area in press releases.
EDIT 3: It would appear I'm on the right track Still, quite odd that this 'security company' isn't able to identify the type of attack against their own honeypots. Or maybe just not willing to put that sort of info public?
view the rest of the comments →
BeerBaron ago
Normally I would say it's nothing to really see here, because it's not uncommon to see something like this. What is curious is that the majority is originating from China. Nah, not curious, that is damn interesting. Also damn interesting is that Norse is flagging them as unknown. Usually when it's just script kiddies it knows what's going on.
EDIT: So I decided to do a little digging. It appears Norse creates a honeypot to mimic specific network destinations to entice attacks. So, what we're seeing isn't an attack on a 'target' so much as Norse's honeypots being activated.
From their CTO: "We have a very large honeypot, where we have, at any given time, over 5m emulations towards the Internet. Meaning we emulate over 5m users, servers, infrastructures on the Internet. We mimic a bank. We put in place honeypots to mimic Microsoft Exchange servers, Linux systems, ATMs. We try to mimic as much as we can of the infrastructure online to make it look attractive to be attacked."
They also have administrative offices in St Louis and have admitted to having a lot of their honey pot location in the area in press releases.
EDIT 3: It would appear I'm on the right track Still, quite odd that this 'security company' isn't able to identify the type of attack against their own honeypots. Or maybe just not willing to put that sort of info public?
gryph0n ago
Also a few attack (very large in fact) originate from the netherlands and france