SSH Honeypots Overlook Non-Interactive Attacks

Recent research has revealed that traditional SSH honeypots may be missing the majority of post-login attacks due to their focus on interactive shell sessions. A study titled “Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots” conducted by researchers from the Czech Technical University indicates that most attackers utilize automated, non-interactive commands that execute instantly and disconnect, leaving many honeypots blind to critical attack behavior.

In their experiment, the researchers deployed eleven high-interaction SSH honeypots across cloud infrastructure for 15 days, capturing 177,622 authenticated sessions. The findings were striking: 99.23% of sessions were non-interactive, while only 0.10% involved interactive shell access. File transfer attempts accounted for just 0.67%. These results were independently validated using a large dataset from the CZ.NIC Cowrie honeypot network, confirming the same pattern at scale.

SSH Honeypots Miss Post-Login Attacks

This discovery challenges the core assumption in SSH honeypot design that attackers log in and manually execute commands within an interactive shell. Many modern honeypots, including those powered by large language models, are built specifically to simulate realistic shell environments and measure success based on how long attackers stay connected or how many commands they issue. However, the study shows that such metrics are increasingly irrelevant. In most cases, attackers authenticate, run a single command using SSH’s exec mode, and disconnect in under a second.

These commands are typically automated and designed for reconnaissance or verification rather than prolonged interaction. Common commands observed include system profiling queries such as uname, whoami, uptime, and nproc, which attackers can use to assess the target environment quickly. The researchers identified over 9,000 unique command strings, but a small subset accounted for a large share of activity, indicating coordinated automated campaigns.

More notably, the study highlights verification probe commands designed to determine whether a target is a real system or a honeypot. For example, attackers used base64 decoding or arithmetic operations like echo $((7*6)) to check if the system returns accurate results. These tests are particularly effective against LLM-based honeypots, which may generate plausible but incorrect outputs. In total, the researchers identified over 2,000 such verification attempts. Some probes also checked for known honeypot artifacts, such as specific processes or writable system files, though these were less common.

The implications for cybersecurity research and defense are significant. Honeypots that focus solely on interactive shell sessions may capture only a fraction of actual attacker behavior, leading to skewed insights and ineffective detection strategies. Similarly, evaluating honeypot performance based on engagement duration or interaction depth may no longer reflect real-world threats.

According to the Czech Technical University, SSH honeypots should support non-interactive command execution and deliver accurate command responses. Success should be measured by whether the system behaves like a real host.

This research underscores the need for cybersecurity tools to evolve in response to changing attacker tactics. By adapting honeypot designs to capture non-interactive sessions and focusing on accurate emulation of real systems, defenders can gain a more comprehensive understanding of threat landscapes and enhance their defensive strategies.