Image 1 showing the country wise distribution of attacks across the honeypot sites.
Also shown in the figure is the split up of the countries who used the top 5 passwords observed in their attacks
While analyzing the common IPs across servers we find that about 6% of the all the IPs logged attacked all three servers. Also a whois lookup of the common attacking IPs show that almost 50% of them were registered under APNIC from HongKong and belonged to a common block namely
CDF of the IP addresses that attacked the various services. We found that 90% of the IP addresses logged were involved in doing 200 (0.33%) or less attacks. But only about 5% of the IP addresses did 10,000 or more attacks. To be precise 90% of the IPs did about 200 attacks while the only 1% of the IPs did 30,000 or more attacks.