WingNews logo WingNews GitHub [2]
top | item 8154740

Live attacks against the Norse honeypot infrastructure

149 points| dtournemille | 11 years ago |map.ipviking.com

35 comments

order
[+] eddyg|11 years ago|reply
The Google/Arbor Digital Attack Map[1] provides a similar view based on data from 270+ ISPs around the world. Hovering over an attack shows details, and sliding the timeline indicator to dates in the past lets you view some very large attacks (>400 Gb of attack traffic).

[1] http://www.digitalattackmap.com/

[+] growupkids|11 years ago|reply
The google map appears to only show DDOS attacks, whereas the Norse map I believe shows attacks attempting or possibly succeeding in compromising their targets (as opposed to just DoSing them). So apples and oranges?
[+] viraptor|11 years ago|reply
Couldn't find much information about that visualisation, so I have to wonder - what kind of traffic do they count? Is it only showing detected known/assumed attacks? Or does it count all connections? (i.e. does it include scans, or not)

If it includes scans - I'm surprised how few there are. (that's about as many as you'd get on 5 randomly created VMs) If it doesn't - I'm surprised how many active attacks there are.

[+] stinos|11 years ago|reply
This. Can somebody please explain what we are looking at? For instance: what is an attack? How do they distinguish between an attack and normal traffic? It list companies. Are those ISPs? etc.
[+] recycleme|11 years ago|reply
"The Norse live attack map is a visualization of a tiny portion (<1%) of the data processed by the Norse DarkMatter™ platform every day."

http://www.norse-corp.com/

[+] 0xdeadbeefbabe|11 years ago|reply
Could they team up with anyone to get even more data?
[+] dtournemille|11 years ago|reply
Technical accuracy aside, it's a great marketing tool. Nicely done.
[+] ck2|11 years ago|reply
Needs Missile Command sounds.

Of course the internet does not route in "as the crow flies" lines like this is showing. There is routing.

[+] ErikRogneby|11 years ago|reply
But from an attack perspective do you care that much about the routing? I think origin and target are much more intuitive to digest. Presenting information is as much about what you don't show and filter our as what you do show.

I do find myself trying to remember what the missile command sounds were...

[+] rpwverheij|11 years ago|reply
Does anyone know why so relativly many attacks come from the Netherlands? After running this for about 5 minutes it is the number one origin of attack at the moment.
[+] spindritf|11 years ago|reply
I think it's partially because of how well connected the Netherlands are, and partially because of lax Ecatel policies regarding abuse.
[+] Sander_Marechal|11 years ago|reply
My guess is that some of the attacks cannot be traced back to the actual source. The Netherlands is home to the largest internet exchange in the world where the cables of Europe, the US and UK all join. The other top attack sources are also home to major internet exchange points.
[+] th3iedkid|11 years ago|reply
where does it get data from?
[+] oskarth|11 years ago|reply
“We have a very large honeypot, where we have, at any given time, over 5m emulations towards the Internet,” states Stiansen. “Meaning we emulate over 5m users, severs, infrastructures on the Internet. We mimic a bank. We put in place honeypots to mimic Microsoft Exchange servers, Linux systems, ATMs. We try to mimic as much as we can of the infrastructure online to make it look attractive to be attacked.” From an interview with the CTO at Norse http://realbusiness.co.uk/article/27070-ipviking-map-cybercr...
[+] sine_dicendo|11 years ago|reply
"The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors."
[+] ChuckMcM|11 years ago|reply
There is fairly rampant infection of something which uses port 21230 for its activities. I use the port numbers and verify that my iptables aren't passing any of them, which is generally useful. And it is interesting to see the ones being "attacked" (as in people trying to either open them or send data to them via UDP)
[+] coldcode|11 years ago|reply
It looks like a modern version of War Games. But how does it determine the origins and attack targets in real time?
[+] 0xdeadbeefbabe|11 years ago|reply
Could they effectively DoS the IPs on the blacklist[1] and still play good defense?

1. http://www.norse-corp.com/darklist.html

[+] devicenull|11 years ago|reply
Not without causing some significant disruptions. A lot of these are going to be compromised machines in someone's house. If you start launching attacks at a residential connection, you can start to interfere with other users that are near that person. (Since most residential connections are shared, at one point or another)
[+] richardwigley|11 years ago|reply
When I use firefox it says 'too slow? try chrome' - it is much slower on firefox - is firefox that bad or is it just optimized for Chrome?
[+] jpmattia|11 years ago|reply
A list of attacker IPs (from, say, the last 7 days) to block in iptables would be a very popular item.
[+] Donzo|11 years ago|reply
Wow. So many attacks. Running this site is going to DOS my phone.
[+] ErikRogneby|11 years ago|reply
Anyone know why 21320 is such a big target? Spybot S&D?
[+] psykovsky|11 years ago|reply
A quick google search seems to indicate that 21320 is a port commonly used to setup a proxy after an infection. It's probably the attacker trying to use the honeypot as a proxy after a "successful" infection of the machine.
[+] baq|11 years ago|reply
is there nothing worth attacking in china or it's simply that there aren't many honeypots there?
[+] gcb0|11 years ago|reply
it is like watching a War match where everyones goal is "conquer california, or 24 territories"
[+] rurounijones|11 years ago|reply
heh, someone in china just tried a masss SSH login to the US, looked like a shotgun blast.
[+] jk215|11 years ago|reply
I have no idea whats going on but its very exciting looking.