Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ddospot, respones look like new connections / attacks #1690

Closed
JackTor opened this issue Oct 30, 2024 · 1 comment
Closed

Ddospot, respones look like new connections / attacks #1690

JackTor opened this issue Oct 30, 2024 · 1 comment
Labels
upstream-bug

Comments

@JackTor
Copy link

JackTor commented Oct 30, 2024
edited
Loading

What OS are you T-Pot running on?
Almalinux 9.4

What is the version of the OS lsb_release -a and uname -a?
Linux opcxxxxx 5.14.0-427.13.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Apr 30 18:22:29 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux

What T-Pot version are you currently using (only T-Pot 24.04.x is currently supported)?
Latest git pull

What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
VM

I have installed T-POT last version a few days ago but when ingress to dashboard I saw that I have 49 attacks:

48 ddospot
1 ciscoasa

data/ddospot/log/dnspot.log:
New attack started for quartet ('172.24.0.1', '', 'AAAA', 'IN')
{"src_ip": "172.24.0.1", "src_port": 43783, "opcode": 0, "dns_name": "", "dns_type": "AAAA", "dns_cls": "IN", "time": "2024-10-30 11:51:42.124147"}
New attack started for quartet ('172.24.0.1', '', 'A', 'IN')
{"src_ip": "172.24.0.1", "src_port": 43783, "opcode": 0, "dns_name": "", "dns_type": "A", "dns_cls": "IN", "time": "2024-10-30 11:51:42.520485"}
New attack started for quartet ('172.24.0.1', '', 'AAAA', 'IN')
{"src_ip": "172.24.0.1", "src_port": 38484, "opcode": 0, "dns_name": "", "dns_type": "AAAA", "dns_cls": "IN", "time": "2024-10-30 12:51:43.289977"}
New attack started for quartet ('172.24.0.1', '', 'A', 'IN')
{"src_ip": "172.24.0.1", "src_port": 38484, "opcode": 0, "dns_name": "", "dns_type": "A", "dns_cls": "IN", "time": "2024-10-30 12:51:43.662521"}
New attack started for quartet ('172.24.0.1', '', 'AAAA', 'IN')
{"src_ip": "172.24.0.1", "src_port": 59945, "opcode": 0, "dns_name": "", "dns_type": "AAAA", "dns_cls": "IN", "time": "2024-10-30 13:51:44.434559"}
New attack started for quartet ('172.24.0.1', '', 'A', 'IN')
{"src_ip": "172.24.0.1", "src_port": 59945, "opcode": 0, "dns_name": "", "dns_type": "A", "dns_cls": "IN", "time": "2024-10-30 13:51:44.736614"}
@github-actions github-actions bot added the no basic support info Please follow the guidelines so we can help label Oct 30, 2024
@t3chn0m4g3
Copy link
Member

t3chn0m4g3 commented Oct 30, 2024
edited
Loading

Based on the logs provided and the arbitrary high ports, those are expected responses. At best would be to open an issue with the developer of ddospot as the log could be improved accordingly.

Also note: For some honeypots to reach full functionality (i.e. Cowrie or Log4Pot) outgoing connections are necessary as well, in order for them to download the attacker's malware. Please see the individual honeypot's documentation to learn more by following the links to their repositories.

@t3chn0m4g3 t3chn0m4g3 added upstream-bug and removed no basic support info Please follow the guidelines so we can help labels Oct 30, 2024
@t3chn0m4g3 t3chn0m4g3 changed the title Attack detected in ddospot from source containter Ddospot, respones look like new connections / attacks Oct 31, 2024
@github-actions github-actions bot added the no basic support info Please follow the guidelines so we can help label Oct 31, 2024
@t3chn0m4g3 t3chn0m4g3 removed the no basic support info Please follow the guidelines so we can help label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t3chn0m4g3 @JackTor