DShield (Cowrie) Honeypot Stats and When Sessions Disconnect, (Mon, Mar 30th)

A lot of the information seen on DShield honeypots [1] is repeated bot traffic, especially when looking at the Cowrie [2] telnet and SSH sessions. However, how long a session lasts, how many commands are run per session and what the last commands run before a session disconnects can vary. Some of this information could help indicate whether a session is automated and if a honeypot was fingerprinted. This information can also be used to find more interesting honeypot sessions. To get an idea of what that variety looks like, I reviewed about 3 years of data from 6 honeypots. Some of the honeypots have been running for different periods of time, but it should give a good overview of different attacks seen on telnet/SSH honeypots. Since I already made a python script [3] that summarizes some of this data for me, it made the process a bit easier. Before going into the details, some of the basic information: Data Timeframe: 4/13/2022 - 3/21/2026 Number of Sessions: 1,206,566 Min Max Median Mean Range (Max-Min) Number of Commands Per Session 0 27742 17.49 20.0 27742 Duration of Sessions (Seconds) 0.041 1563.38 17.42 22.80 1563.38 Figure 1: Basic statistics for Cowrie session durations and number of commands run per session. In most sessions, we see about 20 commands and a session lasts for about 20 seconds. Number of Commands Per Session When a Cowrie session is allowed through, the client connection has the option of running commands. They client may decide to disconnect, run an automated script or run commands manually. Most of the time, there are usually under 30 commands run per session, but there are some sessions that have had over 25,000 commands run in a single session. Figure 2: There are many telnet/SSH sessions interacting with DShield honeypots that run over 25,000 commands in a single session, but most are much lower. Figure 3: Looking at most frequenty occuring number of commands run per telnet/SSH session, the majority are under 50 commads with the most frequent being 22 commands in a session. Commands in session Sessions found Percentage Running total 22 461,561 38.26% 38.26% 20 348,708 28.91% 67.17% 1 104,217 8.64% 75.81% 3 58,850 4.88% 80.69% 9 39,111 3.24% 83.93% 13 28,274 2.34% 86.27% 46 27,595 2.29% 88.56% 5 25,302 2.10% 90.66% 18 20,174 1.67% 92.33% 10 19,188 1.59% 93.92% Figure 4: The top 10 most commonly seen number of commands run in a session accounts for about 94% of the telnet/SSH sessions. Are the sessions with 22 commands similar? To help commands for differnet sessions the commands per session were concatenated and then hashed to arrive at a value that could be compared across sessions. This value would be the same if the same commands were run in the same order. This seemed like a great idea until I found a very small number of similar hashes when looking at sessions with 22 commands. Rather than seeing tens or hundreds of thousands of similar hashes, there were only 4. Looking more closely at the data demonstrated what w