3607199.3607205.pdf (1.28 MB)

Container Orchestration Honeypot: Observing Attacks in the Wild

Download (1.28 MB)
conference contribution
posted on 2024-04-24, 12:16 authored by Noah Spahn, Nils Hanke, Thorsten HolzThorsten Holz, Christopher Kruegel, Giovanni Vigna
Containers, a mechanism to package software and its dependencies into a single artifact, have helped fuel the rapid pace of technological advancements in the last few years. However, it is not always clear what the potential security risk of moving to the cloud and container-based technologies is. In this paper, we investigate exposed container orchestration services on the Internet: how many there are, and the attacks against them. We considered three groups of container-based software: Docker, Kubernetes, and workflow tools. In a measurement study, we scanned the Internet to identify vulnerable container and container-orchestration services running on default ports. Considering the scan data, we then designed a high-interaction honeypot to reveal where attackers tend to strike and what is being done against exposed instances. The honeypot is based on container orchestration tools installed on Ubuntu servers, behind a carefully constructed gateway, and using the default ports. Our honeypot attracted attackers within minutes of launch. In total, we collected 94 days of attack data and extracted associated indicators of compromise (IOCs), which are provided to the research community to enable further insights. Our empirical study measures the risk associated with container and container orchestration systems exposed on the Internet. The assessment is performed by leveraging a novel design for a high-interaction honeypot. Using the observed data, we extract fresh insights into malicious tools, tactics, and procedures used against exposed host systems. In addition, we make available to the research community a rich dataset of unencrypted malicious traffic.


Primary Research Area

  • Threat Detection and Defenses

Name of Conference

International Symposium on Research in Attacks Intrusions and Defenses (RAID)


Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses

Page Range



Association for Computing Machinery (ACM)

Open Access Type

  • Hybrid


@conference{Spahn:Hanke:Holz:Kruegel:Vigna:2023, title = "Container Orchestration Honeypot: Observing Attacks in the Wild", author = "Spahn, Noah" AND "Hanke, Nils" AND "Holz, Thorsten" AND "Kruegel, Christopher" AND "Vigna, Giovanni", year = 2023, month = 10, journal = "Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses", pages = "381--396", publisher = "Association for Computing Machinery (ACM)", doi = "10.1145/3607199.3607205" }