An Analysis of Malfeasant Activity Directed at a VoIP Honeypot

This paper analyses data collected over a nine month period in a simple VoIP honeypot based on simple design initially put forward by Usken(2009). The honeypot collected 2083 events of malfeasant activity directed towards commonly used VoIP ports. These events resulted in a range of activity being recorded from simple enumeration to advanced probing and attempts to compromise the victim honeypot. The analysis involved traditional statistics from packet analysis, using customised scripts for extraction of data and graphical analysis using i2 Analyst Workstation. The analysis has uncovered an escalation of network activity directed towards the honeypot over a nine month period. Initial geographical IP resolutions also see the majority of traffic emanating from the Chinese IP space. There is strong evidence to suggest that there is a botnet or worm like malcode being directed or developed for VoIP routers.