# Udacity Data Engineering Capstone: Honeypot Data Warehouse

By: Tyler Byers  
Date: 2019-11-19  
tybyers at gmail dot com

## About

This project writeup is submitted to fulfill requirements for the Udacity Data Engineering Capstone project. In this project, I used data sets from three different sources, totaling about 1.25 million rows of data, to create a Data Warehouse on Amazon Redshift. This data pulls together data from a data set compiling log data from a few different [honeypots] (JSON), [AlienVault](https://www.alienvault.com/) reputation data (#-delimited), and IP geolocation data from [freegeoip.app](https://freegeoip.app/) (API/CSV). 

If we were to imagine this Data Warehouse had a business implication, we could easily imagine a company with good cybersecurity practices setting up number of honeypots to try to determine what hackers may be attempting to do to their own web applications (see [this blog](https://us.norton.com/internetsecurity-iot-what-is-a-honeypot.html) for a good description of honeypots). So the company puts out the honeypots and collects data about what sorts of attacks hackers are using against these fake network computers. Then the company wants to see 1) where those attacks are coming from, and 2) are the attackers known malicious entities? In this way, they can do a better job setting up IP block lists for the real web apps, as well as trying to determine what sorts of vulnerabilities they may need to patch for their "crown jewels," which would be the *real* targets for the hackers.

The end-users for this data warehouse are the cybersecurity analysts working for the company, probably only one or two individuals at this point. They might set up dashboards to query the data warehouse every day, or maybe every hour, to see how attacks are materializing. The end-users of those dashboards, however, would be more multitudinous -- perhaps in the tens, including higher level managers. They'd look for trends in where the attacks are originating from, and the ratio of known malicious attackers to new attackers. With the current data model and data set, with the honeypots only distributed over about 4 or 5 different fake network assets, the analytic lift would be small. Later in this writeup, we talk about the "scaling up" situation.

## Data Sets

We used the following data to construct the data model. In total, we upload approximately 1.25 million rows of data to S3. The original format for that data is JSON, #-delimited, and CSV (obtained via API). After transforming the data (discussed more in the "Process" section), we upload the data in CSV format to S3 (CSV from S3 makes for much faster load times than JSON). 

* Honeypot data: https://www.secrepo.com/honeypot/honeypot.json.zip   
    * Format (after unzipping): JSON  
    * Record count: **994,692**  
    * This data was mostly collected in 2014 and 2015. Mike Sconzo [@sooshie](https://github.com/sooshie) made the data available via his www.secrepo.com site, and also provided an [iPython notebook](https://www.secrepo.com/honeypot/BSidesDFW%20-%202014.ipynb) with information about how to parse the data from JSON.   
* Free Geo IP app: https://freegeoip.app/ 
    * Format: API/CSV  
    * Record count: **185,936**  
    * How obtained: I created a list of unique "attacker IP" addresses from the Honeypot data, and then used functions I wrote in the `geolocate_ips.py` file to query the API and save off the results. Note: I collected the IP geolocations in November 2019, which is 4-5 years after the honeypot data was collected, so the IP geolocations may have undergone some "drift" in that time.    
* AlienVault Reputation Database: https://reputation.alienvault.com/reputation.data
    * Format: #-delimited file
    * Record count: **74,892**  
    * This file is updated hourly. I downloaded the file on 2019-11-10 at approximately 11:00 am. Because this reputation database is from the current time, and not from the 2014-2015 timeframe that the honeypots were in service, there may be many "bad" actors from 2014-2015 that are no longer in service and no longer represented in the reputation data. However, we were happy to see a relatively large number of "hits" that are still active

## Data Model

For this data, we opted to create a Data Warehouse on AWS Redshift. We felt that this data is highly structured, and creating a data warehouse was the best model to allow for quick, accurate querying of the data. 

A schema of the database model is shown below. We have three "staging" tables for loading data from S3 into Redshift. We have 6 dimension tables: `dionaea_events`, `glastopf_events`, `snort_events`, `amun_events`, `ipgeo`, and `reputation`. Our fact table is `attacks`.  

<img src="./data/honeypot_db_schema.png">

We choose this schema based on the following use-case: we believe analysts would be most interested in knowing basic information about the attacks on their honeypots. In particular, they want to know *when*, *which honeypot*, *who* attacked, *where* they were from, and the *attacker risk*. So we chose information to handle those questions in the `attacks` fact table.

If the data warehouse users wish to know more detailed information *about* the attacks, such as the actual request, or the transport protocol, they can query any of the `*_events` tables to get more detailed information. Each of these tables represents a type of honeypot that was set up -- there are all sorts of packages that can help with this, and they each have different capabilities and data collection abilities. 

If an analyst wishes to know more information about the geolocation of an IP address, or the reputation for that IP, they can look up more detailed information in the `ipgeo` and `reputation` tables, respectively.

Of note -- both `ipgeo` and `reputation` provide geolocations for the IP addresses. In some cases, these geolocations may not match (IP geolocation is not an exact science). So, for the fact table, we chose to only list the attacker's location as from the `ipgeo` data. This is because not all IPs have a reputation in the `reputation` data, so we decided to keep consistency with the source of the geolocation data and only use the `ipgeo` data, across all rows in the `attacks` table. 

## Process to Build Data Warehouse

I roughly took the following steps to complete this project:

### Data Acquisition, Pre-Processing

First I had to do a fair amount of data acquisition and pre-processing steps:

* Downloaded honeypot data from SecRepo ([zip link](https://www.secrepo.com/honeypot/honeypot.json.zip)). Used Mike Sconzo's [iPython notebook](https://www.secrepo.com/honeypot/BSidesDFW%20-%202014.ipynb) to understand the formatting and parsing of the data.  
* Developed module `parse_data.honeypot_json_to_df` to parse the Honeypot data into a Data Frame. 
  * Saved off: list of unique IP addresses (`data/honeypot_all_attackerips.csv`). 
  * Saved off: CSV of Honeypot data (not included in this repo due to large size).   
* Developed module (in `geolocate_ips.py`) to take above list of unique IP addresses and geolocate them using the freegeoip.app API. Due to rate limits, this process took around 20 hours of download time for 185k unique IP addresses.  
* Developed module `parse_data.ip_geo_to_df` to mildly clean up raw IP geo data and save to CSV `data/ip_geos.csv`.  
* Downloaded AlienVault reputation data from: https://reputation.alienvault.com/reputation.data  
* Developed module `parse_data.reputation_raw_to_df` to convert #-delimited reputation data to CSV (with column names). Saved CSV as `data/reputation.csv`.  

### Data Warehouse

Then, I completed the following:  

* Uploaded 3 CSV files to S3 bucket `s3://honeypot-dend/`. 
* Develop module to programmatically set up Redshift cluster: `redshift.py`. 
* Developed database schema using [draw.io](https://www.draw.io/) (final image in Data Model section above). 
* Translate database schema to SQL queries `sql_queries/honeypot_sql.py`.  
* Develop module to run the table creation/copying/insertion steps: `honeypot_redshift.py`. This class extends the `redshift` class I developed, which is useful.  
* Develop scripts to make cluster creation/deletion and data warehouse setup/etl easy from command line. These scripts are in: `cluster_setup.py`, `cluster_delete.py`, `create_tables.py`, and `etl.py`, respectively.  
* Develop data quality checks: `data_checks.py` and `sql_queries/data_quality_checks.py`.  
* Document all the things!


## Hypotheticals for Scaling

This section attempts to answer the following questions..."what would we change if...":
* The data was increased by 100x.
* The pipelines would be run on a daily basis by 7 am every day.
* The database needed to be accessed by 100+ people.

The most difficult part about scaling this project to a much larger scope would be the acquisition of data, I believe.

To increase the data by 100x, we would have to significantly change the collection network of honeypots and put several hundred honeypots on the network (this is doable, just expensive). Then, to handle that data, we would need a much more robust pre-processing system rather than just "my laptop!" There are a couple ways we could approach this, from putting pre-processing capabilities on the honeypot assets themselves, or perhaps setting up a spark system to do this in a massively parallel way on a central cloud service. Then we'd also have to increase the geolocation capabilities. Since we are only allowed 15,000 API calls per hour, we'd have to move from a free service to a paid service with higher bandwidth. However, we probably have a *lot* of repeat users, so we'd set up a system to check our current `ipgeo` table for geolocations we've already done, and then not repeat those.  We would also have to change the Data Warehouse process itself -- it would not be feasible to delete all the tables every time; we could, however, delete the honeypot staging table each time we do a new data load. The problem would be that the ipgeo and reputation data tables would need to be well-populated with all the current data so that the table joins work. 

We would still use the same sort of cluster on Redshift, however, even with 100x the data. We would certainly have to scale-up the machine to be larger and faster. But if we're scaling data up by 100x, we probably have the money to do so!

As for accessing the pipelines by 7am every day, this is where a real data pipeline would need to be in place. Perhaps what we could do is offload "new" honeypot data collection every day at 4am in a batch process. Upload all that data to the honeypot staging table. Then get a list of all the unique IP addresses, and compare those to our already known `ipgeo` data, and see which IP addresses we don't yet have but need to query. Send those IP addresses to our IP geolocator, and upload the new IP geolocation data to the ipgeo staging table. Then, the most straightforward thing to do would be to re-query the AlienVault reputation feed, and upload that to the staging table. The scheduling of these data pulls, pre-processing steps, and uploads could be scheduled via Airflow. We would just need to understand how long each of the steps take so we would know what time to kick off the process every day. 

As for the hypothetical about 100+ people accessing the data every day, the main use case I can see for this is if we started to deploy honeypots-as-a-service, and base a company around this capability. Then we sell access to the honeypot data to all these other companies. This would be similar to the problem of increasing our data 100x. The same difficulties are there -- they main thing we would have to think about is *where* people are querying our data from. Perhaps we need separate, but similar, data warehouses in different regions of the world. Perhaps we keep it all central but just massively scale up the machine. We'd also need to make sure we pay for guaranteed uptime -- our business would go south very quickly if our database was DDoS'd, intentionally or unintentionally! So we'd need a very large, capable cluster, perhaps geographically distributed, with 99.9999% uptime, and the data pipeline pieces (Airflow) in place to assure that customers are getting their data in as timely a manner as possible.

## Demo: How to Setup, Run

We have developed three scripts to make initial cluster creation, data warehouse initialization, and table population very easy. Below is that process and the example output. This process assumes that the data has already been downloaded, pre-processed (using scripts in the `parse_data.py` file), and uploaded to S3.

For finer-grained control over any of these steps, the user may use the modules we developed in the `redshift.py` and `honeypot_redshift.py` files within a Jupyter notebook or Python session. We do not discuss those steps here; however, the modules are well enough documented that they should be easy to use after running `from redshift import redshift` or `from honeypot_redshift import honeypot_redshift`.

In [3]:
# create redshift cluster
run cluster_setup

Creating a new IAM Role
An error occurred (EntityAlreadyExists) when calling the CreateRole operation: Role with name honeypotRole already exists.
Attaching IAM policy
Creating cluster. Will check every 30 seconds for completed creation.
Sleeping 30 seconds.
Cluster is still building. Please check back.
Sleeping 30 seconds.
Cluster is still building. Please check back.
Sleeping 30 seconds.
Cluster is still building. Please check back.
Sleeping 30 seconds.
Cluster is still building. Please check back.
Sleeping 30 seconds.
Cluster is still building. Please check back.
Sleeping 30 seconds.
Cluster is available. Cluster information: 
{'ClusterIdentifier': 'honeypotcluster', 'NodeType': 'dc2.large', 'ClusterStatus': 'available', 'MasterUsername': 'honeypotuser', 'DBName': 'honeypot', 'Endpoint': {'Address': 'honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com', 'Port': 5439}, 'VpcId': 'vpc-7cbe4719', 'NumberOfNodes': 4}


In [4]:
# drop tables (if any) and build new tables
run create_tables

Connecting to Database.
Deleting all tables.
Dropping table: staging_honeypot
Dropping table: staging_ipgeo
Dropping table: staging_reputation
Dropping table: glastopf_events
Dropping table: amun_events
Dropping table: dionaea_events
Dropping table: snort_events
Dropping table: ipgeo
Dropping table: reputation
Dropping table: attacks
Creating new tables.
Creating table: staging_honeypot
Creating table: staging_ipgeo
Creating table: staging_reputation
Creating table: glastopf_events
Creating table: amun_events
Creating table: dionaea_events
Creating table: snort_events
Creating table: ipgeo
Creating table: reputation
Creating table: attacks


In [5]:
# run ETL to get data from S3 into data warehouse
run etl

Connecting to Database.
Copying into staging tables.
Copying into table: staging_honeypot
Copying into table: staging_ipgeo
Copying into table: staging_reputation
Inserting into dim and fact tables.
Inserting into table: glastopf_events
Inserting into table: amun_events
Inserting into table: dionaea_events
Inserting into table: snort_events
Inserting into table: ipgeo
Inserting into table: reputation
Inserting into table: attacks
Testing Tables are Populated
Testing reputation information successfully joined to fact table. 
Testing not all the rows will have reputation information.


Then clean up with (not run here):

In [6]:
#run cluster_delete

## Examples, Data Table Stats

This section shows examples of the data warehouse's tables and some basic statistics and summaries. The final section lists some queries that could be useful to the end analyst. 

In [7]:
# connect to database
%load_ext sql
hprs = honeypot_redshift('aws.cfg')
hprs.db_connect()
con_str = hprs.test_cluster_connection()
%sql $con_str

'Connected: honeypotuser@honeypot'

### Lines in tables

How many lines are in each table?

In [9]:
from sql_queries import data_quality_checks
all_tables = data_quality_checks.all_tables
all_tables

['staging_honeypot',
 'staging_ipgeo',
 'staging_reputation',
 'glastopf_events',
 'amun_events',
 'dionaea_events',
 'snort_events',
 'ipgeo',
 'reputation',
 'attacks']

In [11]:
%sql SELECT COUNT(*) FROM staging_honeypot;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
994142


In [12]:
%sql SELECT COUNT(*) FROM staging_ipgeo;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
185935


In [13]:
%sql SELECT COUNT(*) FROM staging_reputation;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
74892


In [14]:
%sql SELECT COUNT(*) from glastopf_events;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
7199


In [15]:
%sql SELECT COUNT(*) FROM amun_events;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
371317


In [16]:
%sql SELECT COUNT(*) FROM dionaea_events;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
575180


In [17]:
%sql SELECT COUNT(*) FROM snort_events;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
40446


In [18]:
%sql SELECT COUNT(*) FROM ipgeo;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
184936


In [19]:
%sql SELECT COUNT(*) FROM reputation;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
74892


In [20]:
%sql SELECT COUNT(*) FROM attacks;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
993990


### Peek at a Few Tables

What do a few tables look like?

In [22]:
%sql SELECT * FROM staging_honeypot LIMIT 5;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
5 rows affected.


id,ident,normalized,timestamp,channel,pattern,filename,request_raw,request_url,attackerip,attackerport,victimport,victimip,connectiontype,connectionprotocol,priority,header,signature,sensor,connectiontransport,remotehostname
5426457a9f8c6d41306aea5d,a16f5f36-3c41-11e4-9ee4-0a0b6e7c3e9e,True,2014-09-27 05:04:58.248000,glastopf.events,unknown,,"GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Connection: keep-alive Dnt: 1 Host: ec2-54-68-96-53.us-west-2.compute.amazonaws.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36",/favicon.ico,162.197.24.67,60871,80,0,,,,,,,,
542646499f8c6d41306aea6b,a16f5f36-3c41-11e4-9ee4-0a0b6e7c3e9e,True,2014-09-27 05:08:25.391000,glastopf.events,unknown,,"GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Connection: keep-alive Host: ec2-54-68-96-53.us-west-2.compute.amazonaws.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.122 Safari/537.36",/favicon.ico,173.174.71.56,62920,80,0,,,,,,,,
542718549f8c6d41306aea7d,a16f5f36-3c41-11e4-9ee4-0a0b6e7c3e9e,True,2014-09-27 20:04:36.687000,glastopf.events,unknown,,"GET //phpMyAdmin/scripts/setup.php HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: Close Host: 54.68.96.53",//phpMyAdmin/scripts/setup.php,198.12.87.152,34361,80,0,,,,,,,,
542739099f8c6d41306aea8d,7f3527b2-468b-11e4-9ee4-0a0b6e7c3e9e,True,2014-09-27 22:24:09.735000,glastopf.events,unknown,,GET /tmUnblock.cgi HTTP/1.1,/tmUnblock.cgi,65.31.172.245,57782,80,0,,,,,,,,
542797189f8c6d41306aea9d,eb030eb8-3c69-11e4-9ee4-0a0b6e7c3e9e,True,2014-09-28 05:05:28.994000,amun.events,,,,,71.6.167.142,44621,80,172.31.13.124,initial,,,,,,,


In [23]:
%sql SELECT * FROM reputation limit 5;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
5 rows affected.


id,ip4,reliability,risk,type,country,locale,latitude,longitude
26,184.105.139.109,4,2,Malicious Host,US,Fremont,37.5155,-121.896
90,139.162.98.244,4,2,Malicious Host,JP,Tokyo,35.685,139.751
154,37.110.43.255,4,3,Malicious Host,RU,Moscow,55.7522,37.6156
218,24.42.51.248,4,3,Malicious Host,PR,Toa Baja,18.4325,-66.2129
282,5.228.142.129,4,3,Malicious Host,RU,Moscow,55.7522,37.6156


In [25]:
%sql SELECT * FROM ipgeo LIMIT 5;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
5 rows affected.


id,ip4,country_code,country_name,region_code,region_name,city,zip_code,time_zone,latitude,longitude,metro_code
26,60.5.107.204,CN,China,,,,,Asia/Shanghai,34.7725,113.727,0
90,91.197.234.45,IE,Ireland,,,,,Europe/Dublin,53.3472,-6.2439,0
154,61.240.144.65,CN,China,,,,,Asia/Shanghai,34.7725,113.727,0
218,80.14.72.124,FR,France,BRE,Brittany,Plouguerneau,29880.0,Europe/Paris,48.6,-4.5,0
282,130.211.133.165,US,United States,CA,California,Mountain View,94043.0,America/Los_Angeles,37.4043,-122.075,807


In [27]:
%sql SELECT * FROM attacks LIMIT 5;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
5 rows affected.


id,timestamp,ident,channel,attacker_ip,attacker_port,victim_ip,victim_port,attacker_city,attacker_region,attacker_country,attacker_timezone,attacker_latitude,attacker_longitude,attacker_type,attacker_risk,attacker_reliability
0,2014-09-27 05:04:46.363000,a16f5f36-3c41-11e4-9ee4-0a0b6e7c3e9e,glastopf.events,162.197.24.67,60871,162.197.24.67,80,Pflugerville,Texas,United States,America/Chicago,30.4421,-97.6339,,,
64,2014-09-28 11:35:37.512000,eb030eb8-3c69-11e4-9ee4-0a0b6e7c3e9e,amun.events,124.156.4.208,41389,124.156.4.208,8080,,,India,Asia/Kolkata,20.0,77.0,,,
128,2014-09-28 18:06:34.923000,eb030eb8-3c69-11e4-9ee4-0a0b6e7c3e9e,amun.events,61.163.217.30,4045,61.163.217.30,3389,,Henan,China,Asia/Shanghai,34.6836,113.533,,,
192,2014-09-28 23:19:45.155000,7f3527b2-468b-11e4-9ee4-0a0b6e7c3e9e,glastopf.events,93.174.93.51,57289,93.174.93.51,80,Amsterdam,North Holland,Netherlands,Europe/Amsterdam,52.3719,4.8829,,,
256,2014-09-29 04:34:09.548000,5bf781dc-4726-11e4-9ee4-0a0b6e7c3e9e,amun.events,222.186.3.22,1891,222.186.3.22,8080,,Jiangsu,China,Asia/Shanghai,32.0617,118.778,,,


### Attacks -- Possible Queries

Here are a few possible queries that an analyst might make to the Data Warehouse:

In [28]:
# what are the date ranges of the attacks?
%sql SELECT min(timestamp), max(timestamp) from attacks;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


min,max
2014-09-27 05:04:46.363000,2017-02-28 04:09:06.890000


In [30]:
# What are the top 10 attacker IPs and their locations?
%sql SELECT attacker_ip, attacker_city, attacker_region, attacker_country, count(*) FROM attacks\
GROUP BY attacker_ip, attacker_city, attacker_region, attacker_country\
ORDER BY count DESC\
LIMIT 10;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
10 rows affected.


attacker_ip,attacker_city,attacker_region,attacker_country,count
163.172.67.30,,,France,72036
162.254.205.73,Scottsdale,Arizona,United States,50571
61.153.106.24,Hangzhou,Zhejiang,China,50212
185.40.4.65,,,Russia,30318
0.0.0.0,,,,29418
5.152.222.194,,,United Kingdom,13587
66.191.136.146,Rochester,Minnesota,United States,12156
71.190.176.162,Brooklyn,New York,United States,9518
5.152.216.226,,,United Kingdom,8289
85.25.207.170,,North Rhine-Westphalia,Germany,7636


In [32]:
# how many attacks have known reputations?
%sql SELECT count(*) FROM attacks WHERE attacker_risk IS NOT NULL;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
1 rows affected.


count
10546


In [35]:
# of those with known risk, where are they located?
%sql SELECT attacker_ip, attacker_city, attacker_region, attacker_country, attacker_type, attacker_risk, count(*) FROM attacks\
WHERE attacker_risk IS NOT NULL\
GROUP BY attacker_ip, attacker_city, attacker_region, attacker_country, attacker_type, attacker_risk\
ORDER BY count DESC\
LIMIT 10;

 * postgresql://honeypotuser:***@honeypotcluster.cd5n9t7oif0x.us-west-2.redshift.amazonaws.com:5439/honeypot
10 rows affected.


attacker_ip,attacker_city,attacker_region,attacker_country,attacker_type,attacker_risk,count
71.6.135.131,San Diego,California,United States,Malicious Host,2,1004
71.6.165.200,Henderson,Nevada,United States,Malicious Host,2,896
71.6.167.142,Henderson,Nevada,United States,Malicious Host,3,873
66.240.236.119,Henderson,Nevada,United States,Malicious Host,2,639
198.20.70.114,Chicago,Illinois,United States,Malicious Host,2,521
71.6.158.166,Henderson,Nevada,United States,Malicious Host,3,316
188.138.41.213,,North Rhine-Westphalia,Germany,Malicious Host,2,305
71.6.146.185,Henderson,Nevada,United States,Malicious Host,2,231
93.174.93.218,Amsterdam,North Holland,Netherlands,Malicious Host,2,223
80.82.64.116,,,Netherlands,Malicious Host,2,214


So, of the known malicious hosts, by far most of them are located in the USA, with three of the top 10 in Europe. However, France, China, and Russia show up a lot in the previous query (no known reputation), so this may warrant further inspection. 