Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Why is my Honeypot a Russian Certificate Authority? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Why is my Honeypot a Russian Certificate Authority?

Last night, I noticed a lot of requests to one of our honeypots for "/ocsp.srf" and "/itcom2020/ocsp.srf". The requests all looked very similar:

GET /itcom2020/ocsp.srf HTTP/1.1
User-Agent: fasthttp

GET /ocsp/ocsp.srf HTTP/1.1
User-Agent: fasthttp

The same source IP also attempted CONNECT requests to these hostnames, indicating that they may be looking for a proxy.

So far, I am not sure what these scans are about. Is anybody else seeing this or know more about what may be happening? The combination of "CONNECT" requests and OCSP requests may suggest that someone is attempting to use my honeypot as a proxy or has it misconfigured as a proxy. But there is no payload to the OCSP requests.

OCSP, the "Online Certificate Status Protocol," is a more modern alternative to "CRL"s (Certificate Revocation Lists). A client connecting via TLS will receive an OCSP URL as part of the certificate. OCSP implements a web service that may be used to verify if the certificate is still "good." Alternatively, the TLS server may attach a recently created OCSP message with the certificate ("OCSP Stapling"). For Let's Encrypt, for example, the OCSP URL is A typical OCSP request would include additional data on the URL.

Initially, I figured that they may be searching for private CAs. But the requests are repetitive to particular IP addresses—the "fasthttp" user-agent points to a client written in Go. 

Any ideas about what may be happening here?

Johannes B. Ullrich, Ph.D. , Dean of Research,

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4504 Posts
ISC Handler
May 16th 2022

Sign Up for Free or Log In to start participating in the conversation!