DShield Cowrie Honeypot Reveals Automated Bot Traffic Patterns and Session Disconnections
What Happened — The SANS Internet Storm Center published new DShield Cowrie honeypot statistics showing that most telnet and SSH sessions are automated bot traffic, with short lifetimes, few commands, and predictable “last‑command” patterns. Researchers note these metrics can help identify fingerprinted honeypots and isolate more interesting sessions.
Why It Matters for TPRM —
- Bot‑driven scans often target third‑party services, exposing supply‑chain attack vectors.
- Understanding automated traffic signatures aids in hardening vendor‑exposed endpoints.
- Early detection of fingerprinting attempts can prevent attackers from tailoring exploits against your vendors.
Who Is Affected — Cloud‑SaaS providers, MSPs, and any organization exposing SSH/Telnet services to the internet.
Recommended Actions — Review exposure of remote access services, enforce strong authentication, monitor for anomalous session lengths, and apply network‑level throttling or tarpitting for suspicious IPs.
Technical Notes — The data derives from Cowrie honeypot logs (telnet/SSH). No specific CVE is referenced. Session duration, command count, and final command patterns are the primary indicators of automation. Source: https://isc.sans.edu/diary/rss/32840