
Norse Attack Map - twakefield
http://map.norsecorp.com/
======
kyrra
I've seen maps like this discussed[0] on /r/netsec/ and other similar forums
and from my understanding, they are mostly useless. It's aggregates some data
to make a very pretty site, but doesn't really give you anything actionable.
Normally you need to run it through real monitoring tools with various
thresholds configured so you can alert the proper teams to act when something
odd is going on.

[0]
[http://www.reddit.com/r/netsec/comments/2xuai9/pewpew_your_v...](http://www.reddit.com/r/netsec/comments/2xuai9/pewpew_your_very_own_ip_attack_map_with_d3js/)

~~~
tomphoolery
The Norse Map used to have a little "about" section that explained how the map
is a general aggregation of data and designed to show at a very high level
what is going on, but doesn't provide any deep insight into each attack. The
famous disclaimer "for entertainment purposes only" comes to mind, but in
reality I think the Norse Map is just a really neat and sort-of functional
advertisement for the capabilities of Norse. If you go to
[http://norsecorp.com](http://norsecorp.com), you'll see that the company
behind the map is a security firm that wants you to pay for "real-time
visibility into global cyber attacks", which means either signing up for their
service that alerts you of weird activity on your network, or purchasing their
appliance that can help block attacks at the point of entry. I'd conclude that
the map is not really meant to actually provide real threat warnings, but
rather a way to see into what the Norse Intelligence Service is capable of
monitoring.

~~~
meowface
Norse is generally considered a joke by all the professionals I know in the
infosec and threat intelligence industries, and not just for their silly map.
Even moreso after their recent Iran report, done in conjunction with the
political thinktank American Enterprise Institute. No bias there at all.

~~~
secfirstmd
Agree, though I think the value in this is purely demonstrative to non-tech
people, just to try to emphasise specific concepts.

------
leoc
With a title like that, I was at first expecting to see a map of coastal
attacks against northern Europe.

------
sweis
This map has much better pew pew sounds:
[http://threatbutt.com/map/](http://threatbutt.com/map/)

------
brock_r
Thought it was a video game. Tried shooting back at China.

~~~
britknight
_Shall we play a game?_

~~~
curiousjorge
How about global thermonuclear war?

~~~
AdieuToLogic
A strange game. The only winning move is not to play. How about a nice game of
chess?

------
tcas
Are there any open source map platforms like this for integrating into real
time data feeds (i.e. if we want to track sales by region etc...) onto a map?

I know about [http://cesiumjs.org/](http://cesiumjs.org/) but it was extremely
resource intensive heavy last time I tried to use it.

EDIT: it looks like they use [http://leafletjs.com/](http://leafletjs.com/)
\-- looks interesting

~~~
clwg
There's this
[https://github.com/hrbrmstr/pewpew](https://github.com/hrbrmstr/pewpew) it's
as much a criticism of these sorts of security visualizations as it is a means
to create them.

------
libraryatnight
Seems like China needs to go to internet time-out.

------
wnevets
what is norse, and why does it hate st. louis?

~~~
twakefield
LOL, I had the same initial reaction. Apparently Norse monitors global cyber
attacks[1]. So the real question is not why they hate St. Louis but why does
China hate St. Louis?

I found the link while reading conspiracy theories about the NYSE shut down
this morning[2]. I have no idea about the quality of the data. I just thought
the visualization was cool.

[1] [http://norsecorp.com/](http://norsecorp.com/). [2]
[http://www.zerohedge.com/news/2015-07-08/what-first-world-
cy...](http://www.zerohedge.com/news/2015-07-08/what-first-world-cyber-war-
looks-global-real-time-cyber-attack-map)

~~~
d1str0
Norse has offices in St. Louis and I'm sure that's where they host the
majority of their honeypots. Thus, you see a lot of attacks hitting St. Louis.

------
daveloyall
If Norse wanted to make this data useful, they'd present it as a CSV, too. How
else could I determine if one entity owns all the St. Louis targets??? :)

~~~
kjs3
They actually sell that sort of data feed. The map is an ad.

------
daveloyall
The company that runs this attack map published a blog post about China
yesterday.

[http://darkmatters.norsecorp.com/2015/07/07/chinas-new-
secur...](http://darkmatters.norsecorp.com/2015/07/07/chinas-new-security-law-
is-retort-for-u-s-sanctions-policy/)

[EDIT: removed 'unflattering'.]

------
ldubinets
Their homepage says "Norse Tracks over 200,000 tor exit nodes". Tor metrics
[1] says there exist 1,000 ish Tor exit nodes. So is Norse's statement a
blatant lie?

[1]
[https://metrics.torproject.org/relayflags.html](https://metrics.torproject.org/relayflags.html)

------
rza
I don't know much about network security. Is there a difference between the
kind of attacks that would be caught by honeypots vs targeted attacks? Do
these statistics depend heavily on how they setup their honeypots, which I
assume is limited by the company's logistics.

------
yeukhon
How do they collect this data?

~~~
d1str0
Honeypots

~~~
bithead
That would, in my view, mean I shouldn't take the map as accurate.

~~~
nkozyra
What does "accurate" mean? It's not comprehensive - what it does is show you
where their honeypots get the most attacks from over time.

That said, it's not all that useful - there's no shocking information here. As
mentioned, it's largely a marketing tool.

------
bognition
Not sure how they are getting their attack data. Especially since they are
classifying shodan as an "attacker"

------
trhway
interesting that attacks come directly from China instead of say some botnets
distributed around the world.

~~~
kalleboo
China probably has the most compromised PCs due to the levels of piracy there.

------
jackdawjack
This is more of a sales pitching device (and it's a nice one) than a useful
tool

------
finnjohnsen2
What about that spot mid Russia which just pulsates? attacking itself?

------
closetnerd
I expected Russia to be active.

