My TFTP honey pot has been running for over a month, continuously on my $5 a month VPS, and intermittently on my Dell R530 home server. It’s time to see what surprises it has captured.
When the TFTP honey pot runs, both servers see between 20 and 50 TFTP packets per day. Both servers see mostly the same traffic. I was extremely excited when I got daily UDP port 69 traffic, most of it in TFTP format. I was let down when I realized most of the traffic was regularly scheduled scans from seven infosec companies.
Infosec company scans
Shadow Servers 5 ERROR packets, about 1 every 11 seconds Code 4, message “Bad Filename” Code 0, message “Access violation” Code 4, message “4”, 1 extra bytes “\x05\x00\x044\x00\x00” Code 5, message “Illegal TID” Code 4, message “Illegal TFTP operation”
packets, about 1 every 11 seconds RRQ for a.pdf , octet, on a different schedule than the burst of ERROR packets Censys RRQ for /a , netascii Driftnet RRQ for file named with 8, randomly-chosen letters, netascii
File name fist pattern “[a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z]”
Sometimes via IPv6 Shodan 16 byte non-conforming UDP payload
hex representation: 00000417271019800000000000034925
Arrives from UDP port 18020 about half the time
bursts of 4-6 packets inside of two minutes, from two or more IP addresses Secretive Palo Alto Networks RRQ for /a , netascii, followed by RRQ for file , octet. Netscout RRQ for file name ay9mfwq7xxmd4w6c7\xa0 , octet Internet Census RRQ, file name /a , netascii
... continue reading