Previously we announced that our SIP honeypot data was available for download. Subsequently we advised that the baddest of bad sources were blocked at the very edge of our network. Effective immediately you will find additional files named such as honeypot_IPprefiltered_*.csv.
As the name suggests, these files show source IP addresses which have generated traffic dropped before it got to the honeypot. However, to be included in this list the traffic must have specifically been SIP traffic targeting the Honeypot.
General traffic blocked is not included and neither is the more granular superset of data blocked inside the network (before entering our production VoIP network). To benefit from this data you should subscribe to ThreatSTOP.
This new report is useful for forming a complete picture of bad sources in your own analysis. Frequently attackers who hit the honeypot very hard will also trigger other alerts and are deemed bad enough to be blocked on the network edge without collateral damage. This of course means they no longer append the honeypot reports either. You can now see these sources and identify those who remain troublesome despite no longer hitting the honeypot.
Customers behind the Simwood network using our IP Transit benefit from this research and more automatically. Those not on our network or wishing for a more bespoke level of protection should use ThreatSTOP – please contact us for a free trial.
This data is provided as is, without warranty and is used at your own risk.