Wargames-style map shows ongoing internet attacks


#1

[Read the post]


#2

That is a bizarre map projection to use.


#3

Based on honeypots. Shows grossly incomplete tactical situation. But nice as a wall display decoration.

Also, open the site in a tab and go to another tab. Leave it for a while. Switch back. The animation that did not run during the backgrounded period will show all the queued attacks at once, in a beautiful salvo.


#4

I would rather play some chess.


#5

Are the honeypots reporting real time data somewhere that the map aggregates? And if so, why would they do that? Wouldn’t it defeat the purpose of the honeypot?


#6

As nice as chess are, they don’t pack the punch of a global thermonuclear war.

They call it honeypots. These came in many flavors, as the word is a bit rubbery. Some are designed to look as close to vulnerable machines as possible. These are apparently rather nodes that listen on ports and relay connection attempts to the mapping interface. Good for detecting “horizontal” portscans. (Horizontal is one or few ports across many IPs, vertical is many ports across one IP.)

The map operator should add descriptions to at least the most commonly occurring ports. 137 is Windows-something, 8118 is Privoxy proxy.


#7

So all the “targets” are controlled by the mapmakers?


#8

Yes.

Kind of like a sensor array. The targets/sensors are spread over the globe, detect scans, and relay the results.

If you stare at it for long enough, you’ll see occassional salvos of probes at a single port, often followed by a salvo at another port from the same source. Usually from China. Couple minutes ago I saw such large telnet probe from China to US, followed with a VNC one.


#9

Thanks for the explanation. That’s something I’ve wondered about every time I see one of these sorts of maps.


#10

You can get the same (and way WAY better) info by passive listening on the internet backbone. I would guess that NSA has a wall map of realtime attacks sourced that way - it’s cool, it’s useful (after you filter out the chaff that’d clog the tactical screen), and they have the resources.

…And I’d do it if I could, and quite many things from my I’d-do-it set appeared in the Snowden leaks.


#11

It’s fascinating to watch, but I’m really curious as to the international political movements behind these attacks (which is only a percentage, to be sure, but likely a large one, I would think). For instance, the UAE getting hammered? Related to the Saudi’s military adventuring? Hitting the US Navy base there? Also, Kirksville, MO? What the hell is there to be attacked?


#12

The whole IP range? Most of the attacks are worms, trying to spread their botnet payload. Every machine is valuable.

It’s easy to overanalyze things and be paranoid in the wrong way. (You cannot be too paranoid in this game.)

The politics, in the wild mix of state and nostate actors and politics-agnostic botnets, distills down to everybody-against-everybody.


#13

There is a properties frame left in the gif that probably wasn’t meant to be left in.


#14

The UAE is the pursestrings (and major political motivator for most of our involvement in the middle east) for the entire developed world - I can think of a dozen reasons folks might be targeting them.

Edit: Wait, I’m thinking of Saudi Arabia, aren’t I?


Look at China go! Interesting to see them so high on the attackers list, but apparently not a high priority target themselves.


#15

I’d argue the Sauds have, by a wide margin, far more ‘weight’ in the international politics realm than the UAE–it just seemed weird that the UAE would be in the top ten places being attacked.


#16

They may be in the top ten places by number of sensor nodes installed.


#17

Their blog doesn’t offer a great deal of context, but here’s some analysis of their own data.


#18

Never underestimate the power of the blinkey lights. For good or evil.

I have trained a couple dozen people in networking. It used to take weeks to teach an clear understanding of network behavior. I would talk principles, then have the new guy use TCPDump and WireShark. Then a few days learning principles and practice of switching. After that, we would move into net-flow and s-flow. Then they were ready to learn IDS principles and start playing with Snort. At every step, it takes days before it clicks together. The first few steps are so foreign, that some take weeks to get past them.

Lately, we use our organic network visualization tool and the first few steps take half as long. There is something about being able to tie the log entries to actual visual events that really help people.

Similarly, I can babble at people for hours about the dangers of government sponsored hacking and get nothing but yawns. But a few minutes with our various institutional network displays:

and, they become believers. Lately, we have added the Norse display to the mix. It is like dynamiting fish. Takes all the sport out of it. I image this is similar to how the NSA has been manipulating it’s oversight committees to get free reign.


#19

Interesting videos, especially the darknet one.

The organic visualiser is rather weak, though.

Idea for a visualisation tool: monitoring ARP broadcasts. That’s the advertising of what machine wants to talk with what other machine. Attempt to scan a network for IP addresses will show as a fan of ARP requests from one IP to many others (who-has x.x.x.x tell y.y.y.y). Requests to nonexistent/disconnected/off machines should be detectable as repeated ones (or indicate severe packet loss).

Works for awareness of what’s happening at the individual network segments.

Could be used with the IPVisualizer dot array; just add lines that fade out.
Possibly add a 3d interface where the lines scroll away along the z-axis, to show past patterns, and allow filtering by activity (e.g. “ignore all communicaton with gateway, ignore all where fewer than 2 machines are contacted at any given minute”, etc…).


#20

Hi Shaddack, I remembered that I had a recent picture of our “Wall O Persuasion”. The neat thing is how all the pieces work together. You can point to a moving scan of our space on the IPVisualizer in the upper left, then point to the details of the scan in the darknet monitor in the lower left. Then, use the Organic visualizer to illustrate the resultant activity as it finds an open service. Then find the scan in the Norse monitor (or a similar one from within a close CIDR) to show where the attack is originating. Boggles folks in record time. And, it is great for impressing the Brass.

The problem with ARP visualization is not in the display, it is in gathering the data. You either have to beat up your routers with constant direct polling, or have lots of expensive SPAN/monitor ports, or you have to have an ARPWatch-ish device somehow attached to every routed area. We have found it easier to poll ARP tables on a regular basis and flag when unexpected ARP behavior is detected. It is not pretty, but it catches the occasional ARP spoofer.