
Live attacks against the Norse honeypot infrastructure - dtournemille
http://map.ipviking.com/
======
eddyg
The Google/Arbor Digital Attack Map[1] provides a similar view based on data
from 270+ ISPs around the world. Hovering over an attack shows details, and
sliding the timeline indicator to dates in the past lets you view some very
large attacks (>400 Gb of attack traffic).

[1] [http://www.digitalattackmap.com/](http://www.digitalattackmap.com/)

~~~
growupkids
The google map appears to only show DDOS attacks, whereas the Norse map I
believe shows attacks attempting or possibly succeeding in compromising their
targets (as opposed to just DoSing them). So apples and oranges?

------
viraptor
Couldn't find much information about that visualisation, so I have to wonder -
what kind of traffic do they count? Is it only showing detected known/assumed
attacks? Or does it count all connections? (i.e. does it include scans, or
not)

If it includes scans - I'm surprised how few there are. (that's about as many
as you'd get on 5 randomly created VMs) If it doesn't - I'm surprised how many
active attacks there are.

~~~
stinos
This. Can somebody please explain what we are looking at? For instance: what
is an attack? How do they distinguish between an attack and normal traffic? It
list companies. Are those ISPs? etc.

------
recycleme
"The Norse live attack map is a visualization of a tiny portion (<1%) of the
data processed by the Norse DarkMatter™ platform every day."

[http://www.norse-corp.com/](http://www.norse-corp.com/)

~~~
0xdeadbeefbabe
Could they team up with anyone to get even more data?

~~~
victor_mg
That is the amount shown publicly, they have more

------
dtournemille
Technical accuracy aside, it's a great marketing tool. Nicely done.

------
ck2
Needs Missile Command sounds.

Of course the internet does not route in "as the crow flies" lines like this
is showing. There is routing.

~~~
ErikRogneby
But from an attack perspective do you care that much about the routing? I
think origin and target are much more intuitive to digest. Presenting
information is as much about what you don't show and filter our as what you do
show.

I do find myself trying to remember what the missile command sounds were...

~~~
ck2
[http://www.youtube.com/watch?v=C0L0dXCL7l8](http://www.youtube.com/watch?v=C0L0dXCL7l8)

One of my favorites when it came out. Clip doesn't show the opening though
with the sound of the cities being put into place which they should do for the
countries being setup.

oh here is a mame version with sounds [http://www.youtube.com/watch?v=we4lY-
GEzMk](http://www.youtube.com/watch?v=we4lY-GEzMk)

The real arcade version had this big heavy trackball that was fun to use -
thought it would be the future of computer interfaces but we went with mice
instead after a decade.

------
rpwverheij
Does anyone know why so relativly many attacks come from the Netherlands?
After running this for about 5 minutes it is the number one origin of attack
at the moment.

~~~
spindritf
I think it's partially because of how well connected the Netherlands are, and
partially because of lax Ecatel policies regarding abuse.

------
th3iedkid
where does it get data from?

~~~
oskarth
_“We have a very large honeypot, where we have, at any given time, over 5m
emulations towards the Internet,” states Stiansen. “Meaning we emulate over 5m
users, severs, infrastructures on the Internet. We mimic a bank. We put in
place honeypots to mimic Microsoft Exchange servers, Linux systems, ATMs. We
try to mimic as much as we can of the infrastructure online to make it look
attractive to be attacked.”_ From an interview with the CTO at Norse
[http://realbusiness.co.uk/article/27070-ipviking-map-
cybercr...](http://realbusiness.co.uk/article/27070-ipviking-map-cybercrime-
hunting-just-got-real-time)

~~~
electromagnetic
This is ingenious, I wonder how long the ruse lasts and how much time it ties
up for the attacker.

If it's effective to tie up sufficient resources (similar times as hacking
into what the honeypots are actually mimicing) then this could be deployed as
an actual form of ECM against malicious attacks.

The main issue would be you're either protecting no one or everyone. So you
either need to get governments behind you, or you need to get ISPs behind you.

If an organization could get an ISP to let them use their unused IP's in their
honeypots and sufficiently reduced DDOS against their paying business
customers, it would be very lucrative.

With the amount of business I've heard getting hit by ransomware, and hit by
DDOS's for ransom. I'm sure a lot would willingly opt for a 10% increase in
their internet costs to reduce the amount of attacks.

It wouldn't take long for word to get out that a certain ISP's IP block is
full of honey pots and thus less profitable to hit and it would be more
effective as a deterrent than as an actual tool - it's like having an alarm
company sticker on your house window, you're automatically out of the biggest
break in category of the opportunistic thief. Doesn't even matter if you've
got an alarm system or not.

------
ChuckMcM
There is fairly rampant infection of something which uses port 21230 for its
activities. I use the port numbers and verify that my iptables aren't passing
any of them, which is generally useful. And it is interesting to see the ones
being "attacked" (as in people trying to either open them or send data to them
via UDP)

------
coldcode
It looks like a modern version of War Games. But how does it determine the
origins and attack targets in real time?

~~~
mcosta
GeoIP databases

------
0xdeadbeefbabe
Could they effectively DoS the IPs on the blacklist[1] and still play good
defense?

1\. [http://www.norse-corp.com/darklist.html](http://www.norse-
corp.com/darklist.html)

~~~
devicenull
Not without causing some significant disruptions. A lot of these are going to
be compromised machines in someone's house. If you start launching attacks at
a residential connection, you can start to interfere with other users that are
near that person. (Since most residential connections are shared, at one point
or another)

------
richardwigley
When I use firefox it says 'too slow? try chrome' \- it is much slower on
firefox - is firefox that bad or is it just optimized for Chrome?

~~~
izietto
I suspect the first... looking at the code it's a "standard" canvas managed
via d3js, and the implementation [0] isn't odd

[0] [http://map.ipviking.com/ipviking.js](http://map.ipviking.com/ipviking.js)

------
jpmattia
A list of attacker IPs (from, say, the last 7 days) to block in iptables would
be a very popular item.

------
Donzo
Wow. So many attacks. Running this site is going to DOS my phone.

------
ErikRogneby
Anyone know why 21320 is such a big target? Spybot S&D?

~~~
psykovsky
A quick google search seems to indicate that 21320 is a port commonly used to
setup a proxy after an infection. It's probably the attacker trying to use the
honeypot as a proxy after a "successful" infection of the machine.

------
baq
is there nothing worth attacking in china or it's simply that there aren't
many honeypots there?

------
gcb0
it is like watching a War match where everyones goal is "conquer california,
or 24 territories"

------
rurounijones
heh, someone in china just tried a masss SSH login to the US, looked like a
shotgun blast.

------
jk215
I have no idea whats going on but its very exciting looking.

