Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Scripting IDA Debugger to Deobfuscate Nymaim
Fobber Analysis
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key GovCERT.ch SMIME
Show map in full screen
The data is collected by various SSH Honeypots operated by GovCERT. These are mainly located in Switzerland. Currently GovCERT collects information about the background noise in the Internet. This information serves to distinguish targeted from semi- and non-targeted attacks. If an offending IP has been observed on different honeypots regardless of their location, the attack is most likely non-targeted. If an IP is only observed at one honeypot, this IP may be interesting. If it can be observed on non-exposed honeypots within sensitive networks, the attack may be targeted and should be analysed further. Additionally, the statistics clearly show that some networks are the origin of many attacks and may be blocked in order to avoid any risk and reduce the amount of logfiles to be analyzed.
The Honey Net needs to be developed further, using more protocols and more probes. In a second step probes should be placed within specially guarded networking zones in order to detect targeted attacks. Networks from which attacks originate in a great number over a longer period should be blocked at the perimeter.
Back to top
