A Profile of Prolonged, Persistent SSH Attack on a Kippo Based Honeynet

Craig Valli, Priya Rabadia, Andrew Woodard


This paper is an investigation focusing on activities detected by SSH honeypots that utilised kippo honeypot software. The honeypots were located across a variety of geographical locations and operational platforms. The honeynet has suffered prolonged, persistent and attack from a /24 network which appears to be of Chinese geographical origin. In addition to these attacks, other attackers have been successful in compromising real hosts in a wide range of other countries that were subsequently involved in attacking the honeypot machines in the honeynet.


Cyber Security, SSH, Secure Shell, Honeypots, Kippo

Full Text:



Ciampa, M. D. (2010). Security Awareness: applying partical security in your world (3rd ed.). Boston: Course Technology.

desaster. (2015). kippo. Retrieved from https://github.com/desaster/kippo.

Elasticsearch. (2015). https://www.elastic.co/products/elasticsearch: ElasticSearch BV.

Hosting, G. P. (2013). Kippo. Kippo SSH Honeypot Retrieved 09.10.2013, from http://code.google.com/p/kippo/

IDS, S. (2013). SURFcert IDS Retrieved 20/10/2013, from http://ids.surfnet.nl/wiki/doku.php. Kibana (Version 3.1.2). (2015). https://www.elastic.co/products/kibana: Elasticsearch BV. Labs, B. (2011). Installing Kippo SSH Honeypot on Ubuntu Retrieved 27.09.2013, from http://bruteforce.gr/installing-kippo-ssh-honeypot-on-ubuntu.html

Livadas, C., Walsh, R., Lapsley, D., & Strayer, W. T. (2006). Usilng machine learning technliques to identify botnet traffic. Paper presented at the Local Computer Networks, Proceedings 2006 31st IEEE Conference on.

Marechal, S. (2008). Advances in password cracking. Journal in computer virology, 4(1), 73-81.

Oechslin, P. (2003). Making a Faster Cryptanalytic Time-Memory Trade-Of. Paper presented at the The 23rd Annual International Cryptology Conference, CRYPTO '03, Santa Barbara, California, USA.

Popa, B. (2015). More than 97 Percent of Computers in China Now Running Windows, Mostly Pirated Retrieved March 2015, 2015, from http://news.softpedia.com/news/97-Percent-of-Computers-in-China-Now-Running-Windows-Mostly-Pirated-472110.shtml

Pouget, F., & Dacier, M. (2004). Honeypot-based forensics. Paper presented at the AusCERT Asia Pacific Information Technology Security Conference.

Stevens, R., & Pohl, H. (2004). Honeypots und Honeynets. Informatik-Spektrum, 27(3), 260-264. doi: 10.1007/s00287-004-0404-y

Tatham, S. (2015). PuTTY: A Free Telnet/SSH Client, from http://www.chiark.greenend.org.uk/~sgtatham/putty/

TwistedMatrixLabs. (2013). What is Twisted? Retrieved 23.09.2013, from http://twistedmatrix.com/trac/

Valli, C. (2012). SSH: Somewhat Secure Host. Paper presented at the Cycberspace Safety and Security, Melbourne Australia.

Valli, C., Rabadia, P., & Woodward, A. (2013). Patterns and Patter - An Investigation into SSH Activity Using Kippo Honeypots. Paper presented at the Australian Digital Forensics Conference, Edith Cowan University.

Zalewski, M. (2015). p0f v3 Retrieved March, 2015, from http://lcamtuf.coredump.cx/p0f3/


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law