The Google/Arbor Digital Attack Map[1] provides a similar view based on data from 270+ ISPs around the world. Hovering over an attack shows details, and sliding the timeline indicator to dates in the past lets you view some very large attacks (>400 Gb of attack traffic).
The google map appears to only show DDOS attacks, whereas the Norse map I believe shows attacks attempting or possibly succeeding in compromising their targets (as opposed to just DoSing them). So apples and oranges?
Couldn't find much information about that visualisation, so I have to wonder - what kind of traffic do they count? Is it only showing detected known/assumed attacks? Or does it count all connections? (i.e. does it include scans, or not)
If it includes scans - I'm surprised how few there are. (that's about as many as you'd get on 5 randomly created VMs) If it doesn't - I'm surprised how many active attacks there are.
This. Can somebody please explain what we are looking at? For instance: what is an attack? How do they distinguish between an attack and normal traffic? It list companies. Are those ISPs? etc.
But from an attack perspective do you care that much about the routing? I think origin and target are much more intuitive to digest. Presenting information is as much about what you don't show and filter our as what you do show.
I do find myself trying to remember what the missile command sounds were...
One of my favorites when it came out. Clip doesn't show the opening though with the sound of the cities being put into place which they should do for the countries being setup.
The real arcade version had this big heavy trackball that was fun to use - thought it would be the future of computer interfaces but we went with mice instead after a decade.
For larger attacks it could make a difference, and even for smaller attacks it could be causing issues at the peering level if interconnects are running close to max bandwidth. I think it'd be interesting to see, esp if certain attacks came from many locations; it'd be cool to look at all the contributors with bigger bandwidth represented as thicker lines.
Does anyone know why so relativly many attacks come from the Netherlands? After running this for about 5 minutes it is the number one origin of attack at the moment.
My guess is that some of the attacks cannot be traced back to the actual source. The Netherlands is home to the largest internet exchange in the world where the cables of Europe, the US and UK all join. The other top attack sources are also home to major internet exchange points.
“We have a very large honeypot, where we have, at any given time, over 5m emulations towards the Internet,” states Stiansen. “Meaning we emulate over 5m users, severs, infrastructures on the Internet. We mimic a bank. We put in place honeypots to mimic Microsoft Exchange servers, Linux systems, ATMs. We try to mimic as much as we can of the infrastructure online to make it look attractive to be attacked.” From an interview with the CTO at Norse http://realbusiness.co.uk/article/27070-ipviking-map-cybercr...
This is ingenious, I wonder how long the ruse lasts and how much time it ties up for the attacker.
If it's effective to tie up sufficient resources (similar times as hacking into what the honeypots are actually mimicing) then this could be deployed as an actual form of ECM against malicious attacks.
The main issue would be you're either protecting no one or everyone. So you either need to get governments behind you, or you need to get ISPs behind you.
If an organization could get an ISP to let them use their unused IP's in their honeypots and sufficiently reduced DDOS against their paying business customers, it would be very lucrative.
With the amount of business I've heard getting hit by ransomware, and hit by DDOS's for ransom. I'm sure a lot would willingly opt for a 10% increase in their internet costs to reduce the amount of attacks.
It wouldn't take long for word to get out that a certain ISP's IP block is full of honey pots and thus less profitable to hit and it would be more effective as a deterrent than as an actual tool - it's like having an alarm company sticker on your house window, you're automatically out of the biggest break in category of the opportunistic thief. Doesn't even matter if you've got an alarm system or not.
"The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors."
There is fairly rampant infection of something which uses port 21230 for its activities. I use the port numbers and verify that my iptables aren't passing any of them, which is generally useful. And it is interesting to see the ones being "attacked" (as in people trying to either open them or send data to them via UDP)
Not without causing some significant disruptions. A lot of these are going to be compromised machines in someone's house. If you start launching attacks at a residential connection, you can start to interfere with other users that are near that person. (Since most residential connections are shared, at one point or another)
A quick google search seems to indicate that 21320 is a port commonly used to setup a proxy after an infection. It's probably the attacker trying to use the honeypot as a proxy after a "successful" infection of the machine.
[1] http://www.digitalattackmap.com/