A (Graphical) World of Botnets and Cyber Attacks
Update 3/12/2013: I should also mention the Deutsche Telekom Security Tachometer
We live in a World made of Botnets and cyber attacks! While I am typing these few words in my keyboard, other fingers somewhere else in the Globe are moving quickly through the keys, firing stream of bits against their targets.
For thwarting this malicious landscape, trying to understand the evolving trends, more and more security companies and organizations collect data from their security endpoint or network devices spread all over the Globe, and send it to the cloud to be analyzed with big data algorithms. The purpose is to reduce the time between the release of a threat and the availability of an antidote. The same data can also be used to build spectacular maps that show in real time the status of the Internet, a quite impressive and worrisome spectacle! Here a short list of resources:
Probably the most impressive: the HoneyMap shows a real-time visualization of attacks detected by the Honeynet Project‘s sensors deployed around the world. The Map shows “automated scans and attacks originating from infected end-user computers or hijacked server systems”. This also means that an “attack” on the HoneyMap is not necessarily conducted by a single malicious person but rather by a computer worm or other forms of malicious programs. Please Notice that, as the creators of the Project declare, many red dots means there are many machines which are attacking our honeypots but this does not necessarily imply that those countries are “very active in the cyberwar”
Akamai monitors global Internet conditions around the clock. With this real-time data the company identifies the global regions with the greatest attack traffic, measuring attack traffic in real time across the Internet with their diverse network deployments. Data are collected on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. Values are measured in attacks per 24 hours (attacks/24hrs).
The information collected by Kaspersky Security Network is shown in the Securelist Statistics section. In the corresponding navigable map, the user can select Local Infections, Online Threats, Network Attacks and Vulnerabilities with Map, Diagrams or Ratings format in a time scale of 24 hours, one week or one month.
Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers, making the ability to rapidly identify and correlate bot activity critical. The real-time map indicates the locations of C&C servers and victimized computers that have been discovered in the previous six hours.
The Shadowserver Foundation, managed by volunteer security professionals, gathers intelligence from the Internet via honeyclients, honeypots, and IDS/IPS Systems. The maps are made converting all of the IP addresses of the aggressor, the Command and Control and the target of the DDoS attack in coordinates and placing those points on a map. The maps are updated once a day and are available for DDoS activity and Botnet C&Cs.
Through its relationships with several worldwide service providers and global network operators, Arbor provides insight and on global DDoS attack activity, Internet security and traffic trends. Global Activity Map shows data in terms of scan sources, attack sources, phishing websites, botnet IRC Servers, Fast Flux bots.