HeadlinesBriefing favicon HeadlinesBriefing.com

TFTP Honeypot Reveals Infosec Company Scans

Hacker News •
×

My TFTP honeypot has been running for over a month on a $5/month VPS and intermittently on a Dell R530 home server. Both servers see 20–50 TFTP packets per day, mostly from seven infosec companies conducting regularly scheduled scans on UDP port 69.

Shadow Servers sends bursts of ERROR packets every 11 seconds. Censys, Driftnet, and Internet Census request files like "/a" or random 8-letter names. Shodan transmits non-conforming 16-byte payloads from port 18020. Palo Alto Networks probes in pairs 45 seconds apart, averaging 24.09 hours between pairs (range 14–33.65 hours). Netscout uses unique filenames. Alpha Strike Labs requests "r7tftp.txt".

Cryptic probes include directory traversal attempts ("..\\..\\..\\..\\boot.ini"), PXE boot files, and config files from 199.115.115.137. Most scans merely identify listening TFTP servers; some fingerprint server software via ERROR/OACK responses. Few probes target known CVEs. The irony: most TFTP traffic comes from security researchers, not attackers.