Such is the scale of automated attacks and scanning constantly happening on the Internet.
The vast majority of this sort of traffic is completely automated.
Its just bots scanning the Internet and maybe trying some random payloads to see if they do anything interesting.
As such your server is going to face attacks.
It might seem like you basically have to just accept this as par for the course.
Thankfully there are some things that you’re able to do.
Contents
Implement a honeypot
A honeypot is a tool that is designed to lure in attackers.
It promises juicy information or vulnerabilities that could lead to information but is just a trap.
A honeypot is deliberately set up to bait an attacker in.
There are a few different varieties depending on what you want to do.
A high-interaction honeypot is advanced.
It is very complex and offers lots of things to keep the attacker busy.
These are mostly used for security research.
They allow the owner to see how an attacker acts in real-time.
This can be used to inform current or even future defences.
To that end, they are complex to set up and maintain.
A low-interaction honeypot is basically a place-and-forget trap.
They are typically simple and not designed to be used for deep research or analysis.
As a standard, bots, especially crawlers for search engines know to check this file.
Legitimate bots, such as a search engine crawler will respect instructions in this file.
Thus they take a shortcut and say dont look at this, but you could crawl anything else.
Most hackers and bots will see dont look here and then do the exact opposite.
Given that this is known behaviour though, its pretty easy to manipulate.
Care must be taken to ensure that legitimate users of the site dont ever go to the honeypot though.
An automated system like this cant tell the difference between an attacker and a legitimate user.
As such you gotta ensure that no legitimate resources link to the honeypot at all.
You could include a comment in the robots.txt file indicating that the honeypot entry is a honeypot.
This should dissuade legitimate users from trying to sate their curiosity.
It would also dissuade hackers that are manually probing your site and potentially rile them up.
Some bots may also have systems in place to give a shot to detect this sort of thing.
Another method to reduce the number of false positives would be to require more in-depth interaction with the honeypot.
Again, the idea is to make it look legitimate, while it actually leads nowhere.
Conclusion
A honeypot is a trap.
Its designed to look like it might be of use to a hacker, while it is actually useless.
Basic systems just block the IP address of anyone that interacts with the honeypot.
More advanced techniques can be used to lead the hacker on, potentially for a long period of time.
The former is typically used as a security tool.
The latter is more of a security research tool as it can give insights into the attackers techniques.
Care must be taken to prevent legitimate users from interacting with the honeypot.
Such actions would either result in blocking the legitimate user or muddy the data collection.
Thus the honeypot shouldnt be related to actual functionality but should be locatable with some basic effort.
A honeypot can also be a gear deployed on a connection.
In this scenario, its separate from all legitimate functionality.
Thus, anyone that interacts with the honeypot is worthy of review.
