Visualizing Real-World Attack Patterns from a Home Lab Environment
Total GuardDuty Findings
412
Unique security events detected
Most Probed Service
RDP (3389)
Remote Desktop Protocol
Top Attacker Origin
Netherlands
Based on IP address geolocation
The analysis of source IP addresses from GuardDuty findings reveals a geographically diverse and automated threat landscape. These attacks are not targeted but are part of broad, internet-wide scanning campaigns looking for any vulnerable machine.
Attackers overwhelmingly target a small set of well-known ports associated with remote access and database services. This highlights a focus on finding systems with weak credentials or unpatched vulnerabilities in common services.
Network traffic volume correlates strongly with malicious activity. The primary honeypot instance (`i-0057...`) absorbed over 222 MB of traffic, the vast majority being inbound scans and connection attempts. This demonstrates the sheer volume of unsolicited traffic a public-facing instance can attract.
The home lab's layered security monitoring provides a comprehensive view of an attack. Each tool plays a critical role, from initial detection to detailed interaction analysis, demonstrating a defense-in-depth strategy for visibility.
1. External Scan
Attacker IP scans public IP space
2. GuardDuty Alert
Detects malicious IP & port probe
3. VPC Flow Log
Records ACCEPT/REJECT network action
4. Honeypot Log
Captures detailed protocol interaction
The wide range of source IPs and the focus on common ports (RDP, SSH, Telnet) indicate automated scanners, not targeted attacks. They relentlessly search the entire internet for low-hanging fruit.
Never expose management ports like RDP or SSH to the public internet (0.0.0.0/0). Use bastion hosts, VPNs, or cloud-native connection tools (like AWS SSM Session Manager) instead.
Port 3389 (RDP) was the most-probed service by a large margin. This is a common entry point for ransomware attacks, making its protection absolutely critical.
The high number of 'REJECT' actions in VPC Flow Logs confirms that security groups are working. Regularly audit them to ensure only necessary traffic from specific, trusted IPs is allowed.
The honeypot's success relies on mimicking a default or poorly configured server. This experiment proves that deploying any service without immediate hardening invites compromise.
While the Netherlands was the top source, significant activity came from the US, Germany, and others. This diversity makes IP-based blocking a challenging and often ineffective primary defense strategy.
GuardDuty automatically uses threat intelligence lists (like ProofPoint) to identify known malicious hosts. Consider integrating other threat feeds into your firewall or WAF rules for proactive blocking.
The combination of GuardDuty (alerts), VPC Flow Logs (network metadata), and Dionaea logs (application-level detail) provides a powerful, multi-layered view of security events. You can't protect what you can't see.
The presence of Telnet (port 23) and SMB probes shows that attackers still check for old, insecure services, likely hoping to find them on misconfigured or forgotten legacy devices connected to the network.
This home lab project provides more realistic insights into attacker TTPs (Tactics, Techniques, and Procedures) than any textbook. It's a practical, effective way to build real-world cybersecurity skills.