Crazy Firewall Log Activity — What Does It Mean?

arkowitz writes "I happened to have access to five days worth of firewall logs from a US state government agency. I wrote a parser to grab unique IPs out, and sent several million of them to a company called Quova, who gave me back full location info on every 40th one. I then used Green Phosphor's Glasshouse visualization tool to have a look at the count of inbound packets, grouped by country of origin and hour. And it's freaking crazy looking. So I made the video of it and I'm asking the Slashdot community: What the heck is going on?"

Comment removed

[account_deleted]

Comment removed based on user account deletion

What does a normal firewall log look like?

See title (and answer it).

Well duh!

It's the Chinese HACKERS!

Re:Skylab Shreds

[KshGoddess]

That's what I thought it was for. Srsly, they're your firewall logs. You should have some clue where inbound traffic is coming from and why. If you've got a webserver serving some sort of information that changes, this could be rss readers hitting your site. Or it could be pings of death being dropped by your firewall. It could be web surfers getting to work and hitting you up for information, or browsers grabbing some active information on your site. It could be googlebots. It could be slashdot hits for all I know. These are just theories, because this isn't my firewall or my traffic.

2001

[jamesh]

Anyone else tempted to hum the theme tune to 2001 when they looked at that?

And also... "oh my god... it's full of stars"

Re:2001

[hack++slash]

And also... "oh my god... it's full of bars"

Fixed that for you.

I'm confused

Is this post an advertisement for Quova or Green Phosphor's Glasshouse?

Re:I'm confused

[pipatron]

I don't even know why they Quova crap is mentioned since you can look up the country for *each* your IP locally using GeoIP.

Re:I'm confused

[Mr.+DOS]

He probably went to Quova due to the extreme quantity of data. I imagine most end-user-accessible GeoIP lookup interfaces would temporarily ban your IP after a few thousand rapid-fire lookups.

      --- Mr. DOS

Re:I'm confused

[Gerald]

How does /usr/share/GeoIP/GeoIP.dat ban my IP address?

Re:I'm confused

[rve]

He probably went to Quova due to the extreme quantity of data. I imagine most end-user-accessible GeoIP lookup interfaces would temporarily ban your IP after a few thousand rapid-fire lookups.

      --- Mr. DOS

You can freely download the database, and roll your own in your favorite scripting language

Re:I'm confused

[sopssa]

Eh what? There's several GeoIP databases that you can install locally. In fact it seems like Quova is the only database you have to query remotely, which is somewhat crazy if you ask me. Or buy a server from them.

MaxMind is the best known one. Installing it on Linux server using yum merely takes "yum install GeoIP*"

Re:I'm confused

[Mr.+DOS]

I didn't even think about that being a possibility.

On a related note, thank you for that tidbit of information - I'm sure I'll find it useful in the future.

      --- Mr. DOS

vertical stripes

[donaggie03]

I'm actually a lot more interested in the vertical stripes than the horizontal ones. It looks like at certain times, every country in the world sends a packet . .

Re:vertical stripes

depends on the type of server. Maybe they're running an NTP server or RSS or something else that people check periodically.

If it's popular enough then you'd get hits from just about everywhere.

Re:vertical stripes

[jmauro]

It looks like an active attack probably from one source with a number of controlled bots helping out.

The packets from every country at once are probably spoofs sender IP addresses from one or more sources (probably the spike countries).

The spiked country traffic are probably the controlled bots attacking the host actively.

Without seeing the actual packet data it's just a guess though.

Re:vertical stripes

[wizardforce]

This could just be a case where traffic is routed through different proxies at nearly the same time by a relatively small group of computers or Something coordinated many different machines to connect to their server(s) like a botnet.

Re:vertical stripes

[jra]

Yeah, I meant to say that it's also difficult to tell what's going on because you conflated all destination protocols and ports together.

Re:vertical stripes

[FatherDale]

Agree. It'd be interesting to know what the trigger is for EVERYBODY to hit it at once....

Re:vertical stripes

quite likely the server in question is sending floods of stuff out into the world and the vertical stripes are the responses... which quickly die off as the target machines loose interest

the horizontal lines are probably botnets who, now that they've seen the 'announce' that the vertical lines represent, are interested and are picking away looking for a way in

Re:vertical stripes

[dcarlo]

Could also be a spoofed source IP scan.

Re:vertical stripes

[Firehed]

That would make more sense if they were regular - but those lines appeared to show up at several irregular periods throughout the day. Though on the flip side, they may have several cron jobs that run and ping (most of) the outside world to make sure there wasn't a nuclear detonation during teatime or something.

Without knowing more about the environment and having more data, we can only speculate. But I doubt it's malicious - seems unlikely to follow that consistent of a pattern for the vertical stripes. Someone above mentioned videoconferencing as a possible explanation - it starts at the beginning of the work day and ends at the end, and is only going out to a few different places. Something along those lines would make sense for the horizontal stripes, at least.

Re:vertical stripes

[golden+age+villain]

I thought exactly about the same thing. It would be useful though to have a longer time stretch to see if the pattern is meaningful or if it periodically repeats over days, weeks or months.

Re:vertical stripes

The spiked country traffic are probably the controlled bots attacking the host actively.

Personally I thought the spiked country stuff was really uninteresting. For example, a simple explanation like time zones would suffice. In one period, people from Europe will be doing something, during another period you'll get Asia, and another for the Americas, etc...

Re:vertical stripes

It's the aliens! They are using our own IP system against us to coordinate their attack on July 4th 2012.

Re:vertical stripes

[Animats]

I'm actually a lot more interested in the vertical stripes than the horizontal ones. It looks like at certain times, every country in the world sends a packet.

Yes, I noticed that. The edges on the stripes are so sharp that I suspect a bug in the analysis or graphing program. Either he's being attacked intermittently by an widespread, tightly synchronized botnet, or the breakdown by country is bogus. I'll bet he has some bug like getting the bytes of an IP address backwards, so when he gets a traffic spike, it looks like it comes from all over the world. With his crap visualization program, you can't tell. His "3D" visualization of a 2D graph would be more useful if you could zoom in.

Re:vertical stripes

[osu-neko]

If we assume the video conference included people from all of those countries, who all endeavored to join at the same time GMT regardless of local time, and they keep conferencing for several days without sleeping, then yes, that would account for those horizontal lines that suddenly get thick at the first vertical stripe and continue until the end of the five-day period. That definitely makes sense... ~

Re:vertical stripes

[__aasqbs9791]

In some cases outsourced countries will 'realign' their work force schedules to match up with another country. I worked with a company in India that did this while we (stupidly) outsourced some of our work to them. I say stupidly not because they couldn't do good work, but rather because some things shouldn't be outsourced, and what we did was some of that.

Re:vertical stripes

[ebursley]

I would agree with this assessment. Looks like a control DDoS, but would need to review firewall logs. Would presume this site would also have IDS / IPS measures in place, along with DDoS mitigation.

Re:vertical stripes

300 packets, per second i assume, from a whole country is hardly ddos for any site of a decent size.

Re:vertical stripes

Exactly. As it is now, it seems fairly useless.

Is it web traffic, email traffic, P2P, VNC, Streaming, FTP, rejected traffic ala port sniffing, etc.?

Also what government site is it? What kind of data would they provide that may be of interest?

There could be things like press releases or RSS feeds or even webcams involving subjects that may be of international interest. Any one of those could explain why there are periodic boosts and spikes in activity. There's also possibility that somebody could also be running a P2P or BOINC on there that kicks in periodicly too.

However, without narrowing down the data sets this graph is pretty useless in explaining the traffic. All it can show is "yes, there is traffic" and "yes, there are patterns occuring in the traffic."

Re:vertical stripes

[Athanasius]

See http://www.youtube.com/watch?v=VxGBu1v6SiU for what TCP/UDP ports were involved.

A look at what exactly the 'na' (cited to probably be ICMP) stuff was, exactly, would be useful.

Re:vertical stripes

[hearth00]

Heck it could be packet responses from someone inside the network running a global port scan of some kind - this would account for the traffic at the same time from all countries, and the boosted responses from China etc. He never said anything about outgoing traffic, so his graph showing only half ths story can't determine anything...

Re:vertical stripes

[j00r0m4nc3r]

His "3D" visualization of a 2D graph would be more useful if you could zoom in.

If you look closely you can see a 3rd vertical dimension for the data, looks like load data maybe. If you had control of the program I think you would find it zooms.

No forreals...

[ihatewinXP]

RTFV: this is one of the more interesting problems ive seen posted in years.... Especially as a China resident... Odd... Thought /. community?

"Does this mean anything?"

Finally

[sznupi]

Somebody who doesn't forgets Poland.

(even if traffic from there wasn't unusual in any way)

Re:Finally

I've never forgotten Poland ever since I had my first Paczki.

I just wish I could get them around here.

Re:Finally

What's a Poland?

Botnets are fun

Botnet timed actvation trying to hack into the Govt database that the firewall was protecting.

Another Slashdot Ad?

[Frogking]

Wait, is this just an advertisement for Glasshouse? The voice in the video on Green Phosphor's website is exactly the same.

What gives?

Re:Another Slashdot Ad?

[Jah-Wren+Ryel]

Wait, is this just an advertisement for Glasshouse? The voice in the video on Green Phosphor's website is exactly the same.

It is totally the same guy - the background noise sounds identical too - like he recorded it on the same microphone with the same environmental conditions.
Hell, he even starts each narration exactly the same with the pattern of, "Hi <name> here."

Re:Another Slashdot Ad?

[jra]

Heh. Well, if they need voice talent (and they *do* need voice talent, let me tell you), I'm available.

Re:Another Slashdot Ad?

[NoTheory]

If you check the other uploaded videos on youtube by the same guy (who's name appears to be "Ben Lindquist", the CEO of Green Phosphor, found on blogger and twitter), there is an introduction to Green Phosphor's Glasshouse. So yeah, Slashvertisement done in the style of Lost.

Welcome to the future of advertising. /sigh.

Re:Another Slashdot Ad?

[Baloo+Uriza]

Hi, Vince here for Slap Chop...

Re:Another Slashdot Ad?

[Firehed]

And to think that I was going to ask what kind of person has enough time to make data visualizations like that. Guess it's easy when that's your job.

Still, the video raises an interesting question, slashvertisement or not. (FWIW, I wouldn't have known what company was being slashvertised if it hasn't been pointed out a dozen times in the comments)

Re:Another Slashdot Ad?

[noidentity]

Maybe you could do a visualization of this guy's astroturfing. And for some reason it seems highly appropriate to use his own visualization tools for it. The ad demonstrating the product would be based on everywhere the ad itself had been spammed. I love it.

Re:Another Slashdot Ad?

[Nikker]

You're gonna love my nuts...

Re:Another Slashdot Ad?

[__aasqbs9791]

I wouldn't have had a problem with that if he had made that clear from the beginning. The idea is interesting, even if not really well executed. But trying to hide that info just makes me questions his ethics.

Re:Another Slashdot Ad?

[VoltageX]

The correct response to spam like this is to start and develop a Sourceforge project that contains most, if not all of Glasshouse's features.

Re:Another Slashdot Ad?

[sopssa]

To be fair though, he didn't link to the companies in submission, only the video and merely mentioned what he used. I guess kdawson added the links. While certainly promoting their own software, the bitching about it has been taken to quite irrelevant levels in this story. Instead of bitching about that, we could had have much more interesting discussion about what it actually is or did anyone else see such spikes on the same days. Personally I think it might be some botnet scanning either for exploits or to find each other (this might be extremely relevant if some botnet was taken down on the same day and P2P scanning to find other nodes kicked in). Port numbers and a little more info would had been helpful, though.

Re:Another Slashdot Ad?

and merely mentioned what he used.

That's called astroturf.

While certainly promoting their own software, the bitching about it has been taken to quite irrelevant levels in this story.

No it hasn't. The guy deliberately hid his bias when he submitted his astroturf. He deserves every bit of shit.

Re:Another Slashdot Ad?

[/.Rooster]

Well simple way to show your disapproval is to rate the video a 1 or post a negative comment. Rating is easy but I can't be bothered to comment. No way I am getting that 4 minutes 36 seconds back now. Not worth the effort.

Re:Another Slashdot Ad?

While certainly promoting their own software, the bitching about it has been taken to quite irrelevant levels in this story

Not really. Given that he was trying to hide such relevant info, I find little reason to believe that the entire thing isn't fake.

Re:Another Slashdot Ad?

[Rogerborg]

What gives

Really? You have to ask. Let me draw your attention to...

Posted by kdawson

Further comment would be superfluous.

Re:Another Slashdot Ad?

[Pictish+Prince]

Please, modders, mod parent insightful.

Re:Another Slashdot Ad?

I already do.

Re:Another Slashdot Ad?

[Nikker]

Never doubted that for a second ;)

Re:Another Slashdot Ad?

[arkowitz]

After getting some great analyses from the community, I reloaded ten contiguous days of the firewall logs, re-visualized, and produced this next video: http://www.youtube.com/watch?v=4K4QmpTCtDc I think the stripes across all countries have to be some sort of backscatter/ISP network phenomenon that is a secondary effect of the botnet activity, as was suggested by several people. So I filtered out those stripes by eliminating any countries with fewer than 200 total inbound packets over the ten days. This leaves what is really interesting: botnets becoming active and going dormant, and portscans - one clearly visible from Sweden; shown in this new video.

Interesting.

[Dartz-IRL]

It's pretty interesting. You can see the countries with the largest botnets in the log... which also seems to suggest that a large majority of the packets are coming from the one botnet... since a good number of them kick in at the same time.

It also looks cool. Which is critical.

botnet.

The striping across all countries is a check whether your site is reachable from that part of the botnet, the purpose of the traffic is unclear; either to do a large data grab or it's a (very unsuccessful) bandwidth attack, or something. You should adjust it for number of internet connected users per country first then revisualize that.

Re:botnet.

[Comen]

I am not sure what is unusual about this, this is the type of thing you see when you watch a big firewall's logs, I used to parse through a big checkpoint firewall's logs with all kind of trending software all the time, and you always see strange trends like this. There could be all kinds of reason why a certain counties accesses your network or webpages at a certain time of day everyday, not to mention botnet activity or really just servers scanning for open ports etc... The vertical stripes would mean that all countries accessed your network more on one day that the day before or after for some reason (there could be real reasons that would happen) you mentioned "Over a hundred packets a hour" that is small really, nothing to unusual.
This reminds me of many times we would sell customers a PIX and the first thing they do is start asking why the logs have red alarms denying packets in it... And even have customer get made because we sold them a internet connection with traffic that is coming in from all these places and getting denied. I would just explain that is why you bought this firewall, feel goos its here blocking this stuff. I do agree its interesting, but if you really want to figure out what this stuff is you can always sniff it and see what they are doing I guess.

Filter your data...

[Itninja]

Is this guy filtering out backscatter like DNS replication and time updates? If it's from a State agency it's entirely possible that are running a root DNS server on-site (I work st a State agency and we are). Also, what timezone is he in? Knowing that might help explain the spike at 21:00. Is that GMT? Need input!

Re:Filter your data...

[AHuxley]

In a fly over state you have elite coast time, local time, log cabin time and IOU time on the west coast.
Same bots would be set for when the average US MS admins clock off from their daily malware hunts and go home for tv, bar, sport and family.
How many attempts to 'hack' are just hits from MS boxes owned for an afternoons work, left on auto for months after?
As for the counties, most are places where they invest in basic education, ie real maths skills. The people who did not get a job/visa out have the brains and time to look for the other kind of Visa.
For the next project trap the packets, see what they are seeking ie MS database hunters, MS pw sniffers, MS credit card finders?
Or are they Unix/exotic OS worms for deep sleeper code for instant lights out in 4 years?

Re:Filter your data...

[scottv67]

>If it's from a State agency it's entirely possible that are running a root DNS server on-site (I work st a State agency and we are)

No, you aren't.

Re:Filter your data...

Exactly. We need to know the timezone and what the hours with the stripes are in order to make any decent guess as to what real-world, non-malicious activities might be causing the stripes.

Why am I worried?

So you have access to these firewalls but you don't know how to go about diagnosing the problem aside from an Ask Slashdot? Am I the only one who's a little baffled by this?

Re:Why am I worried?

You're right, this story doesn't add up. It could be that this data has all been faked, just to advertise for the linked-to companies and products.

Re:Why am I worried?

[digitalchinky]

Why baffled? This is naught more than an advert for a graphic log analysis filter riding on the coattails of the google / China thing.

There are many others that go about the same task in different ways, most are free, this one is not.

Re:Why am I worried?

[krej]

I was wondering the same thing. Why do you have access to government logs yet don't have a better way to figure out what it is than ask on slashdot?

Re:Why am I worried?

[AHuxley]

Why do you have access to government logs yet don't have a better way to figure out what it is than ask on slashdot?
They use MS all day and suffer from group think?
At best they love the firewall hits as they can put in budget upgrades every year.
Best not to ask why or think to much, just protect and enjoy the MS lunches/bribes.
If they are smart and ask why, what can they expect - told to buy more MS?
They are looking after some local structure in a fly over state, thinking is not expected or needed.
Go running to a 'fusion centre' and ask for FBI/NSA help with print outs might just expose one of their taps into your department.
At best your told they are looking into it (and your life gets complex), or you are found by friend/family a few days later.
Ask on slashdot lets you share the info and not risk your job/life/promotion/budget.

Re:Why am I worried?

[chiguy]

So you have access to these firewalls but you don't know how to go about diagnosing the problem aside from an Ask Slashdot? Am I the only one who's a little baffled by this?

I would ask, so you have access to government firewall information and you don't have an NDA? That baffles me.

Mystery? What mystery?

Were you unaware that botnets spanned the globe, or that certain countries have a higher incidence of compromised systems? If you don't understand those things, maybe you should get someone else to manage your firewalls?

Intel

[MandoSKippy]

I would have to say that the countries of interest on the graph seem to be the countries of interest from a malware/hacking perspective. Perhaps it's bot net activity where there is a large amount of port scans that kickoff from all over the world and then some of the "increase" after the lines would be further recon activity. All very interesting.

obviously

[flyneye]

It's a Denial of Reality attack from Democratic Chinese Youth for Christ protesting Iraqi Bacon Bits embargo.
Go figure. You could probably blame Hillbillary Clinton for refusing to recognize Constitutional Rights. I'm sure the attack will subside when we send Sen. Tedward Kennedy over to give swimming lessons. This international diplomacy thing isn't hard to figure out. We'll just let the Wichita Air Nat'l Guard fire up their Windoze boxes and challenge them to a round of GO.

Re:obviously

[AlexWillisson]

Where are mod points when you need them? Parent desperately needs to be modded something OTHER than informative.

Re:obviously

[flyneye]

Wul, way to go picky pants, now it's modded off topic and down. You were the classroom snitch back in school, weren't ya?

I see the people who have a clue haven't gotten

[jra]

here yet. :-)

Though I did like the Guitar Hero riff..

The time-based stripes look like a botnet being triggered. It's possible the increases in traffic from certain places after the stripe pattern commenced might be due to distribution in infections by a botnet client.

To make any real judgement on that, it would probably be necessary to see more like 6 months worth of data all at the same time.

I suspect Bill Cheswick and Steven Bellovin might have some interesting comment to make on this; I chat with Steve occasionally; I'll point him at the thread. (For those not playing the home game; they wrote the Wily Hacker book, and used to run AT&T's corporate firewall.)

Re:I see the people who have a clue haven't gotten

[Loomismeister]

Don't waste their time with this shameless advertisement.

Re:I see the people who have a clue haven't gotten

I see the people who have a clue still haven't gotten here yet

My guess

[JoshuaZ]

It looks to me like the lines of major activity likely corresponded to major news events or other events that caused people to look at the relevant government agency. Without more data it is difficult to speculate. It might be possible to look at the approximate date (Early September of 2009) and find a specific event that would cause this. Indeed, it might then be possible to actually make a guess as to what government agency the firewall belonged.

Re:My guess

[sfcat]

If that was the case, it you would see a more gradual decline in the traffic and not so regular usage across the board. Its looks like a bot net with significant infection in the countries with increased traffic after the first stripe. I'm sure something with more experience in this type of thing could tell us even more about it however...

Re:My guess

[osu-neko]

If that was the case, it you would see a more gradual decline in the traffic and not so regular usage across the board.

You would also see gradual buildups from at least some of the countries. If a major news event sent everyone to one particular website, you would immediately see *some* traffic from everywhere, but at any given time, a third of the world is asleep, and from those countries, you're just catching the night-owls, the traffic would increase as people started waking up and getting the news.

I'm guessing GP didn't even look at the video. It looks nothing like a new event triggered spike. People from every country hit the site one hour, then don't the next hour or two, then do again? Uh huh. Sorry, that's not even a good guess...

Nice job, one question

Great concept and presentation. Point of clarification- you said you are counting inbound packets. Did you differentiate between blocked/dropped & passed traffic?

Temporal Discontinuity in Data

[wufpak]

Looking at the pop-up labels that show up when you mouse-over the data, there seems to be a huge temporal discontinuity in your data set: right at the first vertical stripe, the displayed date/time labels jump from 2009-09-17 to 2009-09-27. Maybe I'm just misreading the display, but a 10-day discontinuity would seem to account for the anomaly you describe.

It couldn't be that easy, could it?

Re:Temporal Discontinuity in Data

[Dachannien]

It might account for the first vertical stripe directly (ten days' worth of minimal packet data accumulated into one data point), but then you would expect the data from the busy countries to then be ten times as high for that one data point.

But what it does indicate is that there are ten days of missing data that most likely show the start of this behavior and could provide further insight.

I wonder whether this data was inadvertently left out by the submitter, inexplicably dropped by the third-party processing company, or intentionally deleted from the server logs by some outside party who gained access to the box.

Re:Temporal Discontinuity in Data

[Dachannien]

Er... sorry, the x axis goes by hours mostly, so it would be 240 times as high rather than 10.

Obviousness?

Could the incoming packets be the result of something sinister... like responses to requests originating from systems inside the unspecified government office? And when did the first stripe occur, say, 0600 Monday local time? Honestly, the poster's question fails to address the most obvious questions. Nice advertisement for Quova and Green Phosphor, though. Maybe that was the *real* point?
   

Re:Obviousness?

[zippthorne]

Not really. It makes green phosphor look like laggy shareware. Somthing with no effort spent on beautifying the interface and even less effort spent on cheating enough to make it visually smooth.

It made me think, "that's a really cool idea. If I had to do that kind of visualization (large dataset over two independent variables), I'd definitely be interested in something like that. But done well, instead."

Re:Obviousness?

[Jeremy+Erwin]

Better colors, please. Perhaps labels for the axes, as well.

Re:Obviousness?

Dont tell this dude about this interesting product called Excel its from this little company called Microsoft.

Re:Obviousness?

[jra]

"Whaddayou think *this* is?"

"It's something like a man's penis, only smaller."

(Spider Robinson, "Fivesight", _Time Travellers Strictly Cash_, no commercial association)

Re:Obviousness?

[tenco]

And when did the first stripe occur, say, 0600 Monday local time?

My first thought. I bet the first day of this 5-day-period is saturday.

Re:Skylab Shreds

[Magic5Ball]

Yes. Some context would be helpful, including what's behind the firewall, the kinds of traffic you think you're accepting, and public expectations of the services available.

Visualizing by port or protocol would be a great way to begin figure out what the traffic is.

Also, CERT and related may remember if any interesting 0-days were released just prior to the first band, etc.

My guess-Paint by Packet

What kind of packets would be nice?

What's going on?

[Blakey+Rat]

So I made the video of it and I'm asking the Slashdot community: What the heck is going on?

You badly need a new hobby.

Re:Skylab Shreds

[bakes]

Yes, he knows the firewall and the traffic. The question is - why is there suddenly traffic suddenly appearing from every country in the world at the same time? and again a number of hours later? And again 5 or 6 times? Suddenly there is inbound packets from every country in the world, for an hour or two, then it dies off. For some countries, the first 'stripe' is also the start of consistently higher traffic from that country. Does this mean anything?

I think it might be more useful to know the actual dates, and see if this corresponds with any spikes in spam or virus activity. What would be most useful would be know the dest port number of the inbound traffic, that could give us much better clues as to the reasons behind the patterns.

Ad

it means that this is an ad for Quova and Green Phosphor's Glasshouse

Re:Ad

[Alcemenes]

For three easy payments of $49.95 (plus shipping and handling)

"And its freaking crazy looking"

[PCM2]

Am I the only one who found the five minutes of this video to be about as interesting as listening to a stoned person describe the cracks on the ceiling?

You designed the visualization, buddy. If it's "freaking crazy looking," rather than yielding any useful insight, then obviously you did not visualize it in a meaningful way. You failed, in other words.

But as an earlier poster noted, this is just a Slashvertisement for the visualization tool in question. No doubt it will be quite effective on the kind of people who talk as slowly as the guy in the video.

Re:"And its freaking crazy looking"

[garcia]

You designed the visualization, buddy. If it's "freaking crazy looking," rather than yielding any useful insight, then obviously you did not visualize it in a meaningful way. You failed, in other words.

I don't know this guy or how he obtained the data he used to build the visualization but based on his question asking what is happening, it would appear that he doesn't understand the data that he analyzed visually. So, to respond to your point that it's his fault because he couldn't properly frame the data visually, well, I can't say it's really his fault. He doesn't seem familiar with the data and thus probably wouldn't be able to give anyone else something useful.

Re:"And its freaking crazy looking"

[Eightbitgnosis]

I read the author and learned a little about network usage patterns and how to look at them. I read your post and saw a lot of complaining. Point goes to the original author

Re:"And its freaking crazy looking"

[Dr.+Evil]

I wouldn't be so quick to support the author. The voice on the youtube video sounds a lot like the voice on the youtube video featured on the front of the webpage for http://www.greenphosphor.com/. If not him, look at the related videos, notice a pattern? Maybe one of the other voices talking about features of the product will sound familiar.

Re:"And its freaking crazy looking"

rather than yielding any useful insight, then obviously you did not visualize it in a meaningful way. You failed, in other words.

Here's another example of another cyber security fail.

Re:"And its freaking crazy looking"

[Eightbitgnosis]

...why do I care who is speaking? It's just random information to me. Sure the format they present their data does kinda suck, but there is information in these graphs. If someone else can do better then by all means I'm waiting for their slashdot article.

Re:"And its freaking crazy looking"

Am I the only one who found the five minutes of this video to be about as interesting as listening to a stoned person describe the cracks on the ceiling?

Hey, at least it is better than NASAs videos / live streams, right?
Boy, they sure know how to bore even the scientist in me.

Re:"And its freaking crazy looking"

[mr+exploiter]

Hey I agree with you but it's not necessary to be so aggressive towards the advertisers, after all they are the ones that allow Slashdot to continue existing.

The smell of fresh grass

[noidentity]

Hmmm, I don't know. As I sit here sipping my soda, the imagery reminds me of various things. One thing comes to mind, though.

Several factors contribute to this graphics ...

[GNUALMAFUERTE]

First, we would need to know what kind of traffic we are seeing. TCP/UDP? Web? DNS?

On the other hand, I think you have only partial logs, that would explain many of the blanks on your data. Some blanks are too geometric to be correct, you are probably missing a shitload of data.
You have to take into account that, and timezones. Timezones are the key to this. This is probably some public service that gets hit at regular intervals (root DNS server, webserver holding news/stock/climate or similar information, etc). Timezones would explain the pattern. We would need to check times for each country against a timezone table to see if they correlate.
I'm also pretty sure that if someone took the time to look at the most active countries, and the less active countries, and some groups in between, we would be able to probably determine what kind of traffic this was.

Some people mentioned botnets, and it's a big chance that they have a huge influence on this graphs, again, matching timezones against this graph would help us understand.

I don't know what kind of information does the submitter have on the logs, or how he got them, but if he could post at least a small sample, that would help a lot. /methinks that submitter has a lot to do with the tool he's using, and this is just another slashvertisement.

check the news for 27 Sept 2009

e.g.
http://en.wikipedia.org/wiki/Portal:Current_events/2009_September_27

Iranian missile tests?
Afghanistan surge request?
German elections?
Ooh - probably the Venezuelan ban on Family Guy - that would surely stir up traffic....

It looks like

[kilodelta]

Web robots. Just put a robots.txt file in your web directory and that pretty much shuts it down.

Also take into account that China, Russia, et al are +12 from us So that might explain some of it. In other words, they might be caching your site.

Umm

[DrugCheese]

So why is he using State property for personal gain? My guess is his logs for his website were way too boring.

Shouldn't there be some agency in Florida who does not want their logs posted, even in cartoon format, in an internet video. I'm guessing this is probably either the Florida Dept. of Revenue or the Florida Dept. of Financial Services.

Re:Umm

[ceoyoyo]

Maybe he made the whole thing up.

It just means

[OeLeWaPpErKe]

(this is a guess, obviously. Full netflow data would tell me more, but only way to be really sure would be a full packet trace)

This just shows that you're being scanned with random source IP adresses (that's why the vertical stripe lights up). It is essentially a check to see if part of the botnet has more firewall access than other parts, or if a loadbalancer directs stuff to different firewalls, or if you have additional BGP uplinks, some of which might not be quite as secure.

Then the real scan starts, which uses the information gained in the first phase to make sure it tests out all the firewalls the target network has. Especially in the case of backup bgp links, where traffic comes in on physically and administratively different lines (say 1 verizon, 1 at&t, if you've got money to burn, and most govt. idiots feel the need to burn money). If the company in addition to the multiple uplinks outsources firewalls to those ISPs (or "security", not knowing what they're buying and getting nothing more than a smug false sense of security), again this is done by too many govt. agencies, you are bound to find holes this way. This uses actual bandwidth, and cannot be done on some networks. So what you're seeing is a disproportionate amount of scanning traffic coming from countries with fast networks and few watchful netadmins (or netadmins that just don't care, in Turkey's case), and many unsecured computers (and dear God, Turks and Russians really do not see any need for virusscanners, but generally you'd see a few other countries in there too. Heh the Russians are probably worried that running a virusscanner will interfere with their development of new viruses)

The regular repeats of vertical lines are probably to rescan reachability information, in case something changed. BGP can be twitchy, especially with incompetent local admins (on the botnet side of the network I mean)

From the (low) speed of the attack you can further deduce that it was an advanced attack, meant to stay below rate limiters, and presumably meant to stay below the radar. And from the resources required to pull this off you can deduce that this was not a lone hacker. Perhaps an organization (these days, tracing source ip's for security attacks almost invariably yields an IP address in far inland China, which is not because the russians have stopped attacking networks, but the Chinese are putting quantity above quality it seems these days).

And frankly, if someone has this kind of patience, generally they will find at least something, even in a well maintained network. Best hope it was only some files left out in the "public" folder or ~username folders. It's a good bet they probed the network security in other ways too (esp. googling), with IP's that will tell you much more about where the attack is coming from (using many hops is possible, but results in very slow page loads. And we're all human)

Btw : looking up a net's country can be done quickly via dns, no need for external company, no need for any tax dollars :

[kimmy@t61 ~]$ host -t TXT 104.79.125.74.cc.iploc.org
104.79.125.74.cc.iploc.org descriptive text "US"

(don't forget to reverse the IP address : looking up 1.2.3.4 is done by host -t TXT 4.3.2.1.cc.iploc.org)

Re:It just means

[TooMuchToDo]

Perhaps the same group China was using to pull data from Google? It would match with the criteria you outlined in your post (sophisticated attack, resources required, etc). Whomever is handling the LEO side of the Google investigation should get a copy of these logs.

Re:It just means

Btw : looking up a net's country can be done quickly via dns, no need for external company, no need for any tax dollars :

[kimmy@t61 ~]$ host -t TXT 104.79.125.74.cc.iploc.org
104.79.125.74.cc.iploc.org descriptive text "US"

(don't forget to reverse the IP address : looking up 1.2.3.4 is done by host -t TXT 4.3.2.1.cc.iploc.org)

The dns interface sure is nice, too bad ip iploc is wrong in about 100% of the cases I tried, though.
Tried 8 IP addresses belonging to various businesses, organisations and universities in Europe. The closest iploc.org came was NL for a German publisher. The rest was all over the place,mostly US, sometimes CN.

A quick google for "IP address geocoding" and taking the first result, gave me the following:
lynx -dump "http://api.hostip.info/get_html.php?ip=192.0.32.10"

100% correct in my small test sample. Most inaccurate one was "EU" instead of "UK" - not incorrect, just inaccurate.

Re:It just means

[OeLeWaPpErKe]

It's been relatively accurate for me. Perhaps the servers you looked up were colocated ?

bot net

[Jessta]

My guess is that it's a bot net becoming active.
The countries with higher traffic during that period are countries that are widely known to have high bot net activity they are also more likely to have server bot net activity, which is why they don't stripe like the over countries.

The stripes are likely day/night where infected PCs are turned off when not in use.

classic Bot activity

Considering the countries involved and the pattern of propagation it seems obviously bots. Remember also they took every 40th packet so when he says a 100 pings he's talking 4,000 which is a lot of activity.

Are the numbers supposed to be multiplied by 40?

[hellop2]

So 300p/hr = 12000p/hr?

Re:Skylab Shreds

[rednip]

You're trying imagine shapes in clouds, there is no context. Video conference call, maybe? Also, could be synchronization, or backups. Spooky garbage for the tin foil hat crowd, I hear theres a good business in it these days. It's an ad for a 3D graphing service.

If you don't know what your logs are...

Then maybe you have been promoted to the point of failure. Typical government hiring... look for the degree first and the intelligence to pound sand out of a boot second.

Distributed ssh attacks

[discordia666]

Over the past week I've had the following countries hitting my ssh:

  108 location: RO
  121 location: CZ
  122 location: HU
  133 location: AU
  142 location: HK
  143 location: MX
  145 location: BR
  151 location: TH
  152 location: CO
  158 location: IN
  183 location: MU
  184 location: NL
  191 location: ES
  205 location: ININ
  234 location: JP
  252 location: FR
  270 location: CA
  306 location: PL
  313 location: GB
  314 location: TW
  355 location: CNCN
  364 location: IT
  379 location: RU
  399 location: KR
  632 location: DE
1361 location: CN

Re:Distributed ssh attacks

[rwa2]

That's pretty normal...

aptitude install denyhosts
should give you some relief by adding firewall rules against hosts that blatantly try to brute-force your machine for weak ssh passwords.

Re:Distributed ssh attacks

[jra]

I'm prone to Samhain's SSH brute-force blocker script; I use the tcpwrappers approach myself.

what when where who?

[quantumpineal]

there's absolutely no context given at all here. and the fact that ips are coming from different countries could simply mean that proxies are being used in those countries. you say you work for the government?

Great ways to start a conversation

"I happened to have access to five days worth of firewall logs from a US state government agency..."

"While skimming through my grandmother's cookbook, I stumbled upon a recipe for processing yellowcake uranium..."

"In passing, a close personal friend mentioned to me that he would deploy ~30k troops to a Mideastern country, but he's worried that the local restaurantuers won't serve fresh babaganoush ..."

"While I was talking to a famous adult film star about my successful experiment with cold fusion..."

"I was fighting against an alien invasion of the Soviet Union the other day. Natalie Portman and I prepared a platoon of sharks with frickin' hotgrits cannons on their heads, but the unwelcome overlords kept jumping the sharks..."

Re:Great ways to start a conversation

[jra]

+1 Funny. (I'm in the thread, or I'd mod.)

Re:Great ways to start a conversation

I want to be your friend.

Re:Great ways to start a conversation

[PCM2]

Awww, man. I shoulda just wrote this one, saved myself some time.

I know what it is

An ad. Same voice on this video as on the demo for the software company who made the 3D charting. 3D charting, whoop-de-fucking-do.

Re:Skylab Shreds

[ozmanjusri]

You should have some clue where inbound traffic is coming from and why.

And talking of getting clues, this also needs more context.

Computers are used by people. People who wake up, work, play, sleep, have weekends, business holidays, religious holidays, events and a pantheon of other reasons why they might act in seeming semi-concert.

Without knowing what network this firewall is on, what reasons there might be attempted access, we have no way of analysing the results. The "lines" could just be timezone effects.

On a side note, it's amusing to watch the way timezones affect Slashdot mod points, especially on controversial comments. Around 9pm my time (Perth, Western Australia), there's always a flood of downvotes for pro-FOSS or anti-proprietary comments. Work that one out...

Time zones and day of week

Group countries by timezone they appear in. You may see spikes correlated to zone. Also think about the day of week. Not everybody has the same days or any days off.

Uh, that's PETER GIBBONS!

[adosch]

If that's not the voice of Peter Gibbons from Office Space, then slap me silly!

"...Well, I generally come in at least fifteen minutes late, ah, I use the side door - that way Lumbergh can't see me - and, uh, after that I just sorta space out for about an hour and visualized activity by hour and country. I... took a bunch of the IP's from the logs, sent them to a company called Initech; Initech took every... (sent millions of them) Initech took every 40th one and sent them to Lumberg's house."

Re:Uh, that's PETER GIBBONS!

[spydum]

Were you watching E! ? Office Space just ended, and I was thinking the same thing!

Re:Uh, that's PETER GIBBONS!

[jra]

I used to date a girl who crewed on Office Space; do I get karma points for that?

Re:Uh, that's PETER GIBBONS!

[droopycom]

Close, but no... You just missed one strategically placed 'S' to get it...

Re:Uh, that's PETER GIBBONS!

[TangoMargarine]

I used to date a girl...do I get karma points for that?

Seeing as this is Slashdot...

Mod parent up

Exactly. This guy is advertising his own not-very-creative service.

Sure - he just happens to have access to the US State Deapartment logs, but isn't smart enough to look at the packets?

  Astroturf.

CrazyFireWallActivityGenerator.c

[mysidia]

GenerateCrazyFirewallActivity( struct in_addr dest[NUM_TARGETS], int hour, int minute ) {
int i,SpoofPackets[NUM_COUNTRIES][HOURS_OF_THE_DAY]
= { { 10, 17} , .... } ;
for(j=0;j<NUM_TARGETS;j++) for(i=0;i<NUM_COUNTRIES) { count=SpoofPackets[j][hour] * random_fraction() + (confuse_the_hell_out_of_them ? 100 : 0); SpoofPacketsTo(dest[i],count) }
}

Bot-Net attack

[MasterOfGoingFaster]

I'd guess you are seeing a bot-net attack. The bot-net army would have the greatest numbers in IT-heavy countries (US, India, China). The command structure would cause them all to attack at (roughly) the same time, regardless of time zone.

Or maybe you've been slashdotted.

Privacy concerns - how did you get the data?

[SuperKendall]

Is no-one else bothered by the fact he has access to raw logs from a government system? Are there no privacy concerns from a private citizen being allowed to scan for users of government system? For instance, let's imagine it's the local IRS server - he now knows exactly what forms you were downloading, or perhaps visitors to a government site to help people find providers of mental health care. Really I don't care what the site was, it just seems like there's no valid reason for anyone to have raw data rather than aggregated data outside that department.

Re:Privacy concerns - how did you get the data?

[cbreak]

That was the first thing I thought of.

It seems quite stupid to give some random, untrustworthy company access to the IP address data of visitors of a government network. That probably violated a few privacy laws.

And the only result is some boring, low resolution pseudo 3D graph? What a waste.

Re:Privacy concerns - how did you get the data?

[osu-neko]

... Really I don't care what the site was, it just seems like there's no valid reason for anyone to have raw data rather than aggregated data outside that department.

Cool. Write your senators and tell them that (a) you want them to raise your taxes, and (b) you want the extra money to be used to hire IT experts for every government office to analyze firewall traffic.

[If you aren't agreeable to (a), then don't bother whining about it.]

Re:Privacy concerns - how did you get the data?

[osu-neko]

It seems quite stupid to give some random, untrustworthy company access to the IP address data of visitors of a government network.

Government offices rarely give data to random, untrustworthy companies. They have specific companies they contract with.

That probably violated a few privacy laws.

Why do you say that? Which privacy laws mandate the government may never hire private sector contractors?

Re:Privacy concerns - how did you get the data?

[cbreak]

It seems quite stupid to give some random, untrustworthy company access to the IP address data of visitors of a government network.

Government offices rarely give data to random, untrustworthy companies. They have specific companies they contract with.

Yes, but in this case it was obviously not a trustworthy one. Just look at this article! They posted it on youtube!

That probably violated a few privacy laws.

Why do you say that? Which privacy laws mandate the government may never hire private sector contractors?

Hireing is one thing, telling them who visited their network an other. And letting them post the results on the web a completely different.

Naughty Country IP list

[EmperorOfCanada]

Where can one get a list of IP addresses for countries like China and India so that server admins like myself can block these countries entirely?

Re:Naughty Country IP list

[cbreak]

Why would you want to do that? You don't expect evil people to use botnet nodes in every country?

Re:Naughty Country IP list

[fluffy99]

Where can one get a list of IP addresses for countries like China and India so that server admins like myself can block these countries entirely?

Google can tell you within minutes what IPs ranges correspond to non-US locations. Here's one such list that's reasonably close. http://www.experts-exchange.com/Networking/Misc/Q_21787352.html. You should also be blocking bogons (address that you shouldn't see on the internet such as unassigned ranges) http://www.cymru.com/Documents/bogon-list.html.

Keep in mind that blocking all foreign IPs isn't foolproof as some US clients may still end up going through a foreign relay or some sort of proxy. Also systems compromised by foreign adversaries or foreign controlled botnets will be seen coming from within the US. I block all non-US addresses, bogons, a few problematic US ISP ranges, and a select list of other subnets based on previous attacks. The company I work for also maintains a very large list of addresses to black-hole (both in and out) based on other information such as previous attacks or IPs controlled by foreign companies. Outgoing traffic to specific addresses triggers red flags for potentially compromised systems.

Re:Naughty Country IP list

[fluffy99]

Why would you want to do that? You don't expect evil people to use botnet nodes in every country?

Simply this: If you don't expect any traffic from foreign countries, then it's safe and prudent to block traffic from foreign countries. It's the whole least-privileges approach applied at the firewall level. For example, you might have http/https accessible from anywhere, but VPN is only allowed from within the US where your sales staff is reasonably expected to travel.

You're right that it's not foolproof, given botnets and compromised computers within the US. Still it's a layer of security that can improve the overall security of the network.

Re:Naughty Country IP list

[osu-neko]

Where can one get a list of IP addresses for countries like China and India so that server admins like myself can block these countries entirely?

If I block all Canadian IP addresses, will I no longer have to view comments from clueless server admins like yourself?

Re:Naughty Country IP list

[RocketRabbit]

Because for most people, the only traffic coming from those places is bad traffic.

That wasn't complaining. THIS is complaining.

[PCM2]

You want complaining? How about this: This visualization is terrible.

The video took five minutes to watch and most of it was him rolling over the bars in the 3-D chart so you can see what each of the lines means. If that's supposed to be a useful visual aid, I'll eat my hat. It's bad enough that you have to manually roll over every data element to figure out what it is; scrolling through the graph seemed dead slow. I hope that's not a limitation of the product itself.

Simple labels on the axes of the graph would have been nice. Far be it from anyone to try stick little flags next to the lines to represent different countries. Hell, just color-coding them in a totally arbitrary way would have made the graph easier to read.

BTW, a quick look at the Glasshouse site reveals all their output looks pretty much just like this demo. And there's no evidence that you can export one of their rudimentary 3-D graphs to "pretty it up" in a real 3-D app. Instead, their raison d'être appears to be allowing you to run around looking at these graphs... in Second Life.

I'm sorry, but if you're doing something like plotting fractals, for example, where visual similarity to patterns is the whole point, I can forgive you for coming to the conclusion that "it's crazy looking." If what you're doing is trying to provide a visual to aid in the interpretation of data, then the visual should -- y'know -- aid interpretation. A glance at this graph, on the other hand, reveals nothing; not even what it's supposed to represent.

In summary, Edward Tufte will be rolling in his grave when he dies from looking at this graphic.

Re:That wasn't complaining. THIS is complaining.

[Baloo+Uriza]

Wow, I'm all for finding new and interesting ways to use Second Life, but as a network visualization tool? That's a tad bit of a stretch.

Re:That wasn't complaining. THIS is complaining.

[melikamp]

You bring up a good point: the raw data would be more eye-friendly than this travesty. But also, if it's not backed up by the free and open raw data - that is, if there is such data, but it's being kept secret - then it cannot be good science.

Re:That wasn't complaining. THIS is complaining.

[arkowitz]

Everyone always wants me to have labels on the graphs. I don't put them there unless you roll over the data, because I want you to see the patterns in the data without bias first.

I should not have called this graph "crazy looking". It is actually pretty simple and makes it quite clear what is going on, as you can see from the comments submitted by people talking about botnets.

Finally, I am not interested in producing graphs which show you everything "at a glance". Use a pie chart for that. I am making graphs which facilitate a deeper understanding of larger amounts of data than Tufte dreamed of showing using his 2D paradigms.

Re:That wasn't complaining. THIS is complaining.

Not to mention that the numbers in the bottom graph don't seem to be evenly spaced. It goes from 2009-09-16hr11 to 2009-09-16hr15 to 2009-09-28hr00, all about the same distance apart. WTF? In what date system does *that* make sense?

Re:That wasn't complaining. THIS is complaining.

[Eightbitgnosis]

Well, feel free to start a company anytime since you see it so clearly

Re:That wasn't complaining. THIS is complaining.

I am making graphs which facilitate a deeper understanding of larger amounts of data than Tufte dreamed of showing using his 2D paradigms.

In your dreams! In 100 years we'll all be dead. People will still be reading Tufte to understand how best to present information visually, and no one will know that you ever drew breath.

Re:That wasn't complaining. THIS is complaining.

[PCM2]

Everyone always wants me to have labels on the graphs. I don't put them there unless you roll over the data, because I want you to see the patterns in the data without bias first.

Why? The only reason for that would be so you could go, "Whoaahh, it's crazy looking." You've proven that. Anonymous data with no points of reference has no meaning. If you honestly think your graph has more value to the viewer than this graph from 1880 showing the population of Sweden over time, I think you're kidding yourself.

It is actually pretty simple and makes it quite clear what is going on

That's debatable. I've argued that it could be much, much clearer.

Finally, I am not interested in producing graphs which show you everything "at a glance". Use a pie chart for that. I am making graphs which facilitate a deeper understanding of larger amounts of data than Tufte dreamed of showing using his 2D paradigms.

Careful. If you're trying to get into the data visualization business, it's a bad idea to make it known that you're completely ignorant of Edward Tufte.

For starters, anyone who knows the slightest thing about Edward Tufte knows that he hates pie charts. So he would never say "use a pie chart for that."

Second, contrary to your assertion, Tufte advocates for extremely data-rich graphics wherever possible. He does not advocate abridging large data sets out of laziness. He does, however, advocate data compression when it will reveal data, and he does not like "wasted ink." Your graphs appear to have miles and miles and miles of plotted data -- none of which is identifiable without mouse interaction -- but relatively few points of interest. As you scroll through the data set, half your movie seems to feature the text "empty" hovering in midair above the graph. In other words, your dataset may indeed be large, but your visualization of it is not particularly informationally dense.

Finally, until such a time as your product can reach out of my flat-screen monitor and tweak me in the nose, you're every bit as tied to a "2D paradigm" as Tufte is. All you're doing is making it possible to adjust what is plotted in real time. Tufte would probably argue that it's better to get the plot right the first time. Allowing viewers to take their time to absorb a lot of data points is fine, but they shouldn't have to waste their time fiddling around with the plot to reveal those data points.

Re:That wasn't complaining. THIS is complaining.

[arkowitz]

Only change of perspective makes something 3D; this is the point of using a virtual world, so that the user can fly around building a spatial awareness.

I do not want to produce a one-time "plot". I want to show data for what it is. If it doesn't look as nice as Tufte would have made it look, I don't care. The point is not to look nice... it's to provide the ability for people to see what is in databases, without bias. And I still don't think Tufte's paradigms work with as much data as these 3d ones do.

Re:That wasn't complaining. THIS is complaining.

[Cyberllama]

It wasn't pretty, I'll grant you that -- but it wasn't a very obtuse representation. It very clearly shows a pattern, and it's vaguely interesting -- if you're into that sort of thing. The guy found something neat and thought he could talk about it and maybe promote his software at the same time. It's not that big of a deal. Yes, it's a bit deceptive the way its worded that he says "I used XXXX Software" without disclosing that he's the guy who made it -- it's clearly shameless self-promotion, but that sort of thing is par for the course with most Ask Slashdot posts. Nobody really cares as long as there's some actual content to discuss.

I don't think it's super mysterious, however. It's clearly botnet activity. You get a sudden influx of connections from all over the world creating each of the 4-5 lines, and the countries which show the significant increase in activity past that point happen to be the ones which are known to be the most "wired" (and thus have the most bots): Russia, India, Brazil, China.

I'm sure there's more to the story than that, but asking why a botnet attacks a US Government Agency is like asking why the sun shines. If you really want to know more than that, you need more data than you apparently have.

Re:That wasn't complaining. THIS is complaining.

[DesignPsychology]

+1 for a reference to Edward Tufte regarding visual interpretation.

Re:That wasn't complaining. THIS is complaining.

[tenco]

Everyone always wants me to have labels on the graphs.

There may be a reason for that, don't you think?

I don't put them there unless you roll over the data, because I want you to see the patterns in the data without bias first.

How can i see a pattern if i don't know what your tuples consist of? An absolute minimum would have been "time" on the horizontal axis, "country" on the vertical one and "# of packets" on the z-axis. It could as well have been "coffee consumed at govt workstations while browsing slashdot for x mins".

Re:That wasn't complaining. THIS is complaining.

[dr_blurb]

You want complaining? How about this: This visualization is terrible.

The video took five minutes to watch and most of it was him rolling over the bars in the 3-D chart so you can see what each of the lines means.

Try watching it with the sound off, which is my lithmus test for visualization videos: if you can understand fairly quickly what's going on from the visuals only, then it's a good visualization.

Needless to say, this video fails.

Re:That wasn't complaining. THIS is complaining.

[arkowitz]

All you have to do is click once on the green cube at the origin and you have the description of the axes... but as that is not enough, I am going to add a feature with better axis descriptions. Optional of course. :)

Re:That wasn't complaining. THIS is complaining.

Did Edward Tufte died?

Re:That wasn't complaining. THIS is complaining.

[smallfries]

PCM2 has tried to use simple logic and reason to explain to you why your approach is wrong. Rather than respond to his point about making an informationally dense representation you said:

it's to provide the ability for people to see what is in databases, without bias

There is no point in explaining to you why this is impossible as you've already shown that you wouldn't understand it, or would simply ignore it. So instead here is the relevant AI Koan from the Jargon file for you:

"What are you doing?", asked Minsky.
"I am training a randomly wired neural net to play Tic-tac-toe" Sussman replied.
"Why is the net wired randomly?", asked Minsky.
"I do not want it to have any preconceptions of how to play", Sussman said.
Minsky then shut his eyes.
"Why do you close your eyes?", Sussman asked his teacher.
"So that the room will be empty."
At that moment, Sussman was enlightened.

Re:That wasn't complaining. THIS is complaining.

I don't recall Minsky ever actually producing a real AI.

Re:That wasn't complaining. THIS is complaining.

[arkowitz]

Here's a good one:

Whitehead, British math professor and author of the Principia, was visiting Harvard as a guest lecturer. He was lecturing on logic, and every time he talked about P(a), the American students would burst out laughing. The stodgy professor was quite confused, as this had never happened in England. He asked for advice from a Harvard professor whom he knew, when he bumped into him in the hallway.

The professor explained that the American students were not as genteel or demure as those in England, and were reacting to a double entendre when Whitehead talked about "the p-ness of a". Whitehead blushed, thanked the professor for explaining, and returned to the lecture hall the next day, determined to avoid further outbursts. He picked up where he had left off, now discussing A(p).

(Not sure if he made up the joke, but I heard this from Professor David McCarty many years ago.)

It's the people avoiding patterns to fear.

[955301]

This just doesn't seem like a big deal. The countries he points out are all in the same timezones so it's probably just their normal day starting. So this probably correlates to dns refresh or some other aspect (vertical) of general internet operations landing on the same hour.

He needs tcp port analysis and to compare days - the pattern is probably the same from day to day.

Re:It's the people avoiding patterns to fear.

[AHuxley]

Lights on and infected MS boxes start up in the tropics and old Europe?
That would need some day/night bars on the graph per country of origin.
You get that kind of thinking with $1,000,0000 budgets from ex spooks selling their services back to a flay over state via power point. "Please note China and Brazil"
If a bot was written to target the US, why run your US bot during the US day, the gov admin might be just at their desk, awake and clicking.

Re:It's the people avoiding patterns to fear.

[benjamindees]

The countries he points out are all in the same timezones so it's probably just their normal day starting.

He says in the video that it's five days of data.

What I'm wondering....

...is when the FBI kicks his doors in for posting about firewall info from a US government org on slashdot, with videos on youtube.

Re:Skylab Shreds

[Jane+Q.+Public]

Video conference calls do not last for hours or days. And why would somebody in China or Romania be "backing up" data from a state government website?

Timezones?

[magamiako1]

Nothing really "interesting". What you notice is that around 9:00PM a bunch of East Asian countries start to show some spiked traffic. My guess is botnets on computers that are being turned on during the day generating a lot of traffic data. Or just computers coming on in general, for anything. There's no context as to what data they were requesting, it could have been simple search hits or image hits, or link hits in google or whatever else. But what it shows to me is nothing more than "hey look, the eastern half of the world wakes up when it's evening time in the US."

What a let down

[Aoet_325]

I normally I'd love this sort of thing. I pour over logs in my spare time - for kicks even, but this video just bored me. For nearly half the video this thing never goes beyond "look! people in different countries are active at different times!".

Even the few things that almost start to seem interesting leave you unable to gain any insight because there is just no information. There isn't any useful data to work with.

What this fails to provide us with is what kind of traffic this was in the first place. Any reasonably large site is going to get hit with all kinds of background noise, and so the fact that they found themselves with large amounts of "traffic" from 'nearly every country' doesn't surprise me.

This seems to be nothing more than an example of a very dull and uninformative way to display a large collection something very very common.

Re:What a let down

[Random+Walk]

There isn't any useful data to work with that we have about stars - only their light. Yet some people have seen that as a challenge, and have built a whole branch of science on it. There's plenty of obvious structure in that visualisation, meaning there's plenty of information.

Re:Skylab Shreds

[pipatron]

It's an ad for a 3D graphing service.

Indeed, the guy from the graphing service is the same guy who made this.

Data jumps?

[mother_reincarnated]

Maybe the fact that you put random chunks of data from days apart next to each other has something to do with it?

Who's site?

Well gee i wonder... You've got a US Federal Agency, and spikes at certain times of days and from certain nations... it couldn't possibly be botnet/network attacks?

Nice slasvertisement btw //sarcasm

hey, i have access to this amazing tech

[circletimessquare]

for a powerful client, but i need, you, random slashdork, to help me out here

no, i'm not a salesman

Re:hey, i have access to this amazing tech

[Nikker]

LOL, it's funny cause it's true.

Re:hey, i have access to this amazing tech

[benjamindees]

no, i'm not a salesman

Are you Fox Mulder?

It means...

[Baloo+Uriza]

... you should hire someone who knows what they're doing, and/or quit acting like the kids from Jurassic Park. Pretty pictures alone don't tell the whole story in the real world.

Looks like a sneaky ad to me.

[Jane+Q.+Public]

I see no reason whatever that it would be necessary to use either Quova or Green Phosphor. Any competent programmer could have sampled the data, used whois to get location, and then used about 1000 different programs to visualize the data just as well. (Like Crystal Reports or Seagate.)

The fact that OP did neither, and is involved at a high level with one of the two companies, makes this whole post suspicious.

My best guess is that OP thought he had discovered a way to freely advertise via Slashdot, and victimized us as a result.

I get enough Spam. I don't need to see even more, on Slashdot. Can this user be blocked?

Re:Looks like a sneaky ad to me.

The thing that strikes me is - I wonder whether the State agency the logs are from would want this guy sending data around and posting information like this on the internet.

Re:Looks like a sneaky ad to me.

[tpstigers]

Just guessing here, but I'm assuming that the guy who cooked up this advertising scheme also cooked up the data.

Re:Looks like a sneaky ad to me.

[osu-neko]

Any competent programmer could have sampled the data, used whois to get location, and then used about 1000 different programs to visualize the data just as well. (Like Crystal Reports or Seagate.)

How do you use whois to get the geographic location of an IP address? I know how to get the mailing address of a registrant this way, but that's an utterly unrelated question...

Re:Looks like a sneaky ad to me.

[flydpnkrtn]

I know it's trollish, but the real question is: can kdawson be blocked?

(yes I know you can block authors in your user prefs... I mean from Slashdot entirely.... save us the pain, please, for the love of god)

Re:Looks like a sneaky ad to me.

[adaviel]

Whois providers get pissed off if you start making millions of queries. I used to analyse logs with thousands of entries, and carefully cached netblock ranges in a database to avoid hitting them too often, but that might not scale to millions.

Re:Looks like a sneaky ad to me.

[Jane+Q.+Public]

The public registry is just that: public. And the domain name registrars are required by law to supply their whois information. It might not make them happy; you wouldn't want to effectively do a DOS attack on them, but if you space your queries you should get all the results you need.

Re:Looks like a sneaky ad to me.

[Jane+Q.+Public]

Well, you might have to do your best guess, algorithmically, among owner's address, tech admin address, and other whois information.

There are also services that will do this for you. But keep in mind that this data was sorted by country. Most of the time that should not be hard to discover.

Re:Looks like a sneaky ad to me.

[adaviel]

Well, yes. But I quote, from jwhois google.org: "..under no circumstances will you use this data to..enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations." I have an idea I had seen one whois server apply throttling, and not return more than N responses/hour. I forget the value of N.

Re:Looks like a sneaky ad to me.

[Jane+Q.+Public]

That's like shrink-wrap EULAs. Has no force of law. That is to say, they can do whatever they want with their service, but that has no bearing on the whois information itself.

Whois information is PUBLIC. Google has no legal right to restrict its use. Nor, for that matter, can ICANN. That would be contrary to the entire principle of having public whois information in the first place.

Google can restrict their service if they want, but they can't restrict the information itself. And really, it's all kind of irrelevant, since Google is not a domain name registrar anyway. Google has no right to put limitations on the information from domain name registrars... all they can do is restrict their own service.

Re:Looks like a sneaky ad to me.

[Jane+Q.+Public]

Please do not misunderstand me: I am not suggesting that this particular user should be blocked. I meant it in a more general manner: if a user is attempting to spam Slashdot, can they be blocked? I think probably. After all Slashdot has been around a while. I bet they have run into more blatant attempts before. You have to at least give this guy credit for being somewhat clever about it.

Re:Looks like a sneaky ad to me.

[HeadlessNotAHorseman]

Please do not encourage anyone to use crystal reports. My limited experience of it has been enough to make me limit my experience of it. It is so full of annoying idiosyncracies and bugs^h^h^h^hfeatures that it nearly drove me (and my team) crazy.

Re:Looks like a sneaky ad to me.

[cdrguru]

WHOIS is pretty meaningless. Most of the registrars will now allow semi-anonymous entries, like:

Mr. Nona YourDamBisness
Somewhere
Mt. Everest, Tibet

As long as they are doing that, well, WHOIS only has "nice" people in it. Anyone doing something real on the Internet can set their WHOIS information to point to nobody, their attorney, their grandmother, or someone they would like other people to spam.

Re:Looks like a sneaky ad to me.

[adaviel]

It's not Google restricting the use, it's the .org registrar. I just happened to choose google.org as an example. Whois was never designed as a general search engine, and it seems reasonable to me that the operators can throttle access to their service if that allows it to continue to run for free. If they did not, the service would crash or the pipe saturate under the load of spammers looking for email addresses, and then everyone would complain that whois was broken and stop using it.

Re:Looks like a sneaky ad to me.

[Jane+Q.+Public]

Throttle, yes. I mentioned that myself. Limit, no.

basic interpretations

[v1]

The vertical stripes, indicating worldwide activity at the same time, are probably the result of botnets being ordered to target an area that includes your IP pool. (or possibly, specifically your organization - depending on where you got the logs this may be more or less likely) The horizontal stripes are of course showing continuous activity from specific regions, which can indicate activity of a regional botnet doing general penetration scans looking for more machines to infect. For example, botnets that tend to post their driveby installer on russian web pages will be primarily comprised of participants from russia or other russian-speaking countries

You should also consider the sensitivity of the graph. Only having two axis is unhelpful. Could for example, one high bandwidth box at a single IP doing an intensive DDoS or password brute force on you be responsible for any of the horizontal lines? (in which case the graph is only showing number of connections, not number of UNIQUE IP connections) From that graph alone it's impossible to say if the attacks are distributed or simply high bandwidth solo, which can lead to different conclusions. A single compromised akami server could similar to a minor botnet on that graph.

You'd be advised to take a horizontal or vertical slice you are interested in and examine it alone, creating a new 2d graph with other information on the other axis. More patterns are bound to develop and you can further regraph with new information until clear patterns stop, and then you can consider the patterns you've identified as a group.

Security issue?

[Thaidog]

Pretty sure I'd lose my job for posting this kind of stuff on slashdot....

what's going on ???

[NemoinSpace]

Please tell me your a VBA codemonkey and not a security specialist or interface designer. In which case, you should stop screwing around and get back to work!

p.s. The comments on you tube are funnier than here.

Re:Skylab Shreds

[MojoRilla]

Uh...a bot net?

That would explain most of it.

Re:Skylab Shreds

[Mal-2]

Also is he plotting this based on potentially spoofed IP addresses? I'm thinking not just a botnet, but a botnet that doesn't care if it's getting packets back or not. It may not be every country in the world, just a bunch of random IPs coming from zombies which may (or may not) be in far-flung places.

Mal-2

did you also have a coca-cola(TM)

[Punto]

while you were processing the numbers? did you use Microsoft(TM) Windows(R) Moviemaker(C) to make the Youtube(TM) video?

Re:did you also have a coca-cola(TM)

[heson]

No, he is not selling those.

Re:Skylab Shreds

[Nikker]

It does seem like a type of coordination of interest in the site possibly a bot-net but it could also be due to press releases or other media publications since it is a gov site. You would have to look over many days and not just hours to come up with something conclusive but it is none the less interesting that every country even those in different time zones accessed at the same time and it is odd that the Chinese are interested that much in a US gov site at the same time but I digress. Overall more information is needed and over a longer time frame to make any real conclusions.

News events

If you had a history like Google you could probably map this to news events related to the government agency the logs are from.

Lots of people watch what the US does, wouldn't surprise me to see this linked up to some sort of current event (current at the time of the logging that is).

For instance if the logs were from data.gov and the logging was of all traffic (not just blocks) then you can probably find there were news stories released around the time everyone hits the site, and naturally once an initial story breaks certain countries are going to care more and sustain noticeable traffic.

Of course with so little information provided, its really just speculation.

Of course, I also didn't bother to watch the whole ad (cant really call it an article can we?), just bits and pieces so maybe I missed the details :)

An Attempt at a Hardware Executable

[not_hylas(+)]

An Attempt at a Hardware Executable:

I've notices like kinds of this type of programing in "dead" boot block areas in disks, spirals, grids, pseudo (IDE) worlds.
Got to run, check my nick for more:

http://slashdot.org/~not_hylas(+)/

A friends site:

http://subversionhack.livejournal.com/

Re:Skylab Shreds

[whitelabrat]

Looks like a botnet to me yo. What the fella doesn't explain is if that activity was inbound or outbound.

Re:Skylab Shreds

[MichaelSmith]

Yes, he knows the firewall and the traffic. The question is - why is there suddenly traffic suddenly appearing from every country in the world at the same time? and again a number of hours later? And again 5 or 6 times?

I get a lot of distributed dictionary attacks like that. Its pretty normal.

RTFV?!?!??!?!

[A+nonymous+Coward]

Don't you mean WTFV?

Re:Skylab Shreds

[adolf]

Conference calls, backups, and synchronization from damn near every country on earth? For an agency within a single US state? No.

Also, too: The packet rates are far too low for those activities. If you watch TFV, you'll see that the largest users are only up to around a couple hundred packets per hour, which is such small number that even if you multiply it by 40 (due to the scaling done by the geo-IP service[1]), it's still far too small for those activities that you listed.

Any other theories?

[1]: It's not clear, to me, if we should be looking at these packet counts as they're shown in TFV, or multiplying them to account for the selection performed on the data.

P2P anyone?

Looks like return traffic on a P2P connection to me. I've seen similar patterns when a bittorrent client fires up on a popular torrent. You start getting pings from everywhere, and a few dozen hosts get really hot. Since this is only the inbound traffic, we don't get to see who or if anyone started it, just that it is synchronized and almost global, which means the trigger is almost certainly inside the firewall.

this is probably peer to peer traffic

Someone inside the state facility is initiating some kind of p2p program like bittorrent which polls the world and says "who has this movie". The whole world answers not me except for a few countries that tend to like to pirate stuff. Then the real traffic starts as it downloads some movie for the next few hours. Much later someone asks for a different move or music file or whatever. Each vertical stripe is the request. The horizontal stripes are the files coming back.

Distributed attack?

[Progman3K]

Maybe all the bots are part of the same botnet and were programmed to attack at the first spike.
The fact they are located in different countries doesn't mean anything, it's simply hiding whoever is really behind the attack.

timed zombies

[Ralph+Spoilsport]

when something happens all ovr the world at the same time in DC, it is likely a zombie computer network hitting EVERYTHING. The countries with activity rising in general after the first blast probably indicates that the zombies in those countries are successful, and are increasing their attacks.

Looks like BitTorrent.

[dweller_below]

Nice visualization. Wonder if there is some way to do it in real time.

I've done networking and security for a university for the last 10 years. I can guess what this kind of activity would be if it was at my institution. Basically, there are several reasons why every country in the world will suddenly talk to us. They include P2P/Gnutella's, P2P/Swarmcasting, Bittorrent, Skype, P2P-poisoning, P2P-misdirection, and hacker/bot activity.

When we have pulses like you are observing, it is usually BitTorrent.

The Gnutella P2P variants don't usually have that many peers. And, they tend to last for several hours or days.

The various Swarmcasting P2P variants look very similiar to BitTorrent, but again, the users tend to leave them running for hours or days.

A popular Torrent makes connections to hundreds of locations at once, and usually the local user shuts down in minutes (or an hour) when they get their file.

Skype won't be narrow bands. It will be every country in the world talking to you all the time. We have had computers promote themselves up the Skype infrastructure until they are constantly talking to over 600K peers. Of course, it is more normal to see a Skype node talking to 10K to 20K peers, but still Skype won't be bands. Skype raises the floor for the entire graph.

P2P-poisoning would closely match your bands. For several years we observed pulses where every member of a large P2P cloud would attempt to talk to a non-existing IP at our institution. Eventually, we realized that somebody was attempting to render the P2P cloud non-functional by poisoning the P2P community with info on non-existing peers. Of course, since this is a Denial of Service (DoS) attack, this is technically illegal, but we saw it happening for years. But, it appeared to stop a couple years ago (about the time Obama replaced Bush) and we haven't seen any evidence of it lately.

P2P-misdirection is where a cloud will attempt to confuse traffic analysis by throwing out random connections/packets to random IPs. Typically, this misdirection happens all the time, and not in bursts/bands.

Bot attack activity doesn't match your patterns either. We observe several types. None would look like your bands:
- The spoofed attacks will look like every one of your IPs getting acks from a few remote IPs.
- The mapping activity will look like a representative sample of your IPs getting traffic from a few dozen IPs.
- An incoming DoS would have a few of your IPs get (spoofed) traffic from everywhere, but it would be sustained.
- Portscans will only involve a handful of remote IPs.
- The Tag-team SSH password guessing is close. During the last week, we observed about 3000 sources located all over. But, it happens all the time (in the aggregrate), not in bursts. And the sources this week are concentrated in Italy, Poland, Eastern Europe, Colombia, and Brazil. They aren't really all over the world.

So, I'm guessing it is BitTorrent. But, your situation may be way different from mine.

Miles

Re:Looks like BitTorrent.

[arkowitz]

I looked at the traffic by destination port and hour, and it looks like botnet activity: all of the traffic producing those stripes is aimed at either port 137 (windows networking) or no port (icmp). Thanks for your comment; this is the type of informed response I was hoping to get with my post.

Re:Looks like BitTorrent.

Patch day for World of Warcraft.

Re:Looks like BitTorrent.

[dweller_below]

Then, I would say somebody with a large botnet is doing reconnissance on you.

I'm sure you have incoming port 137 blocked. So that traffic is outgoing. I expect that will be your Windows hosts responding to their probes.

They are probably attempting to find your end-hosts and your switching infrastructure.

Your clients shouldn't respond to the probes. If they are, make them stop. Your servers probably have to respond. If you have not already, you should make very sure that your switching infrastructure can't bleed packets to the outside world. Yah, I know, people tell you to send out 'fragmentation needed' but, you might have to chose between big packets and survival. Be nice if you only need to bleed 'Fragmentation needed' to a few specific external hosts and could discard it (and everything else from your switching infrastructure.)

One way you can you can mess with their heads (assuming they care about your switching infrastructure) is to modifying your border to discard any packet with a low hop-count. The apparent radius of the internet is currently a little over 16 hops. Nothing legit (except traceroute) generates packets with less than a 32 TTL. So, you can arbitrarily discard any packet at your border with a TTL of 8 to 12.

It messes up your ability to trouble-shoot your network from the outside using traceroute but if the choice is that or survival...

I've never been mapped by anything that big. We would see it in our darknet (non-allocated IP) sensors. Lucky you. Brace for impact..

I expect they will get to my institution eventually.

We've seen an explosion in hacker activity in the last week. All kinds of crap. The most unsettling is a series of compromises that carefully scan a locally attached /24 for 139, 445, 3389, 5900 8080, 40080. C&C appears to be innoculous accesses to local Akamai hosts. Almost impossible to spot.

Thanks for the heads-up.

Miles

Re:Looks like BitTorrent.

[arkowitz]

These are all inbound packets; it may be that one or more machines outside this firewall but inside the next firewall up are compromised and spoofing. These are all denied when they hit this firewall.

Translation

[Alex+Belits]

Vertical stripes may be from spoofed addresses -- nothing from real sources, even botnets, can be that uniform across the whole address space. It would make sense to check how much of traffic comes from unallocated address space, as packets from there are guaranteed to be spoofed. Why would anyone do such a thing? As a direct portscan it would be useless (he can't see the responses), however it might be used as a smokescreen to hide a real portscan or attack from some of those addresses. It may even be an attack that floods the DNS servers with fake responses in the attempt to poison DNS cache, thus redirecting some of the traffic to the attackers' addresses.

Then, after whatever kind of discovery was completed, you have seen some targeted host scans, [D]DoS attempts or actual exploits causing large amount of traffic (horizontal stripes).

Another possibility is that those packets are responses caused by something on your network being coerced into sending packets uniformly to the whole address space. It may be something as stupid as a web page with random redirects, however more likely it is a worm on some of your computers looking for other members of his botnet. After such discovery some hosts joined the botnet[s], producing horizontal stripes composed of traffic from other botnet members.

Re:Translation

[arkowitz]

The spoofing makes sense; really good point. The scary thing is it kind of looks like something on the inside of this network may be participating in the botnet, I suppose...

Re:Translation

How about it was data from the 15th and 16th that was the "quiet" period, and the remaining "hours" beginning with the so called "21st" hour was from the 27th, 28th and 29th.
The "21st" hour was not the magical beginning of any attack. Just made for a nice looking graph to "show" what an attack might look like.

If I had to guess, over those 15 days the "attack" very very slowly ramped up to the levels shown. There was no magical horizontal stripe. And low and behold the whole thing is a slashvertisement also...

TCP/IP for Dummies?

[Gothmolly]

It means that some IP spaces are used more heavily, and that if you don't care about getting a response (hello, UDP) then you can make your traffic come from anywhere.

The real question is - if you don't know what this means, why in gods name did the US Gov hand over the logs to you??

Redundant firewalls?

[mooneypilot]

Just a guess. Stripes are caused by either a redundant firewall arrangement, or redundant feeds to the internet, where the load balancer (or telco) is moving traffic one way or the other.. Simple enough to reverse out your own IP..no need to outsource that part. Lastly, you are working with a small sample size, (no more than a few hundreds of packets per line) so any small change appears larger.

The reason is quite obvious:

[Hurricane78]

and sent

several million

of them to a company called Quova, who gave me back full location info on every 40th one.

Well, there you have it. Unless you can prove, that that filtering that Quova does, does not influence your results, you can’t really draw any information from it. Could just be selectivity, applied by Quova. Or a otherwise bad filter.

Only if you are safe in that regard, would you first have to look at the actual outgoing traffic, in case there are correlations. (Which, considering the data, seems very likely.)

Re:The reason is quite obvious:

[osu-neko]

of them to a company called Quova, who gave me back full location info on every 40th one.

Well, there you have it.

Interesting. Under what conditions would a sampling of every 40th packet on a server that sees millions of packets per hour differ from a true random selection from the same sample? How would random sources from every country on the planet coordinate in such a way that causes particular packets always show up in the (n*40)th position?

Re:The reason is quite obvious:

[benjamindees]

It wasn't every 40th packet. It was every 40th IP address.

Re:The reason is quite obvious:

[tenco]

I also don't get what he meant by "unique IP".

Re:Skylab Shreds

[Khyber]

"Video conference calls do not last for hours or days."

Maybe not in your world, but then again it's likely you've never been in a Camfrog room. Also, on Skype, my UK and AUS partners and I just leave the conversation going. If any of us are near the computer and hear the others, we'll speak up and start a conversation. It's much simpler. Our machines are all located in our in-home offices.

I usually leave Camfrog and Skype open and connected 24/7. It's just much simpler that way.

Statistically flwed?

[viking80]

It appears that the big countries, like china, and india shows up with more hits than the small countires like angola and cuba.

I wonder what that can mean? Is it similar to the statistical fact that most truck accidents happen in US made trucks?

In the latter, until you factor in that 95% of US trucks are made in the US, you have only meaningless statistics.

It seems that current incarnation of this analysis tool suffers the same flaw.

Re:Skylab Shreds

[osu-neko]

Computers are used by people. People who wake up, work, play, sleep, have weekends, business holidays, religious holidays, events and a pantheon of other reasons why they might act in seeming semi-concert.

You're suggesting that for the five day period in question, the majority of people work up at the same time GMT? Not 7am local time, but 9pm GMT everywhere in the world? Or did you just not actually look at the video (which shows spikes of data from every country in the world at the same time)? "Timezone effects" should eliminate these sorts of lines, not cause them, by spreading that kind of activity out over 24 hours.

Stripes in the firewall log data? Movie Review

What are these stripes in the firewall log data? Movie Review
by the Anonymous Coward

Stripes in the firewall is a 4 and a half minute movie about a 3 dimensional representation of log data from an unspecified government website.
The cast consists only of the narrator, arkowitz, who walks the audience through the highlights of the dataset.
The storyline is rather weak to start off and develops into an international conspiracy and a web of intrigue that ultimately leads to Russia and Romania, represented by a vicious looking jagged blue stripe.
The feature is let down by the rather bland and uninspired performance of the narrator. I thought the wooden door in Paranormal Activity managed a more convincing performance.
This being a budget production, the 3D effects are not on par with some of the other recent releases. After watching Avatar in 3D, this movie will seem a little flat with or without the 3D glasses.
Overall, I found this feature slightly less engaging than the preposterous 2012.
This movie skipped the theaters, DVD release (not to mention the torrents) for a youtube release.

Better that: Ruslan
Worse than: Avatar 3D

Overall ***** 5/10

Re:Skylab Shreds

Just a guess, but it's probably related to the waking hours of some region who access this server. The "bands" are for such light traffic that throwing out 97% of the data may be responsible for some of the pattern. I would imagine something like this could be from a peer-to-peer download/upload happening each evening.

I don't think he's getting back up from that one.

Well said.

Re:Skylab Shreds

Some people also work at night and browse at odd hours you know. Just because it doesn't coincide with your personal ratrace schedule means nothing.

I have lived in 6 countries and it's readily noticeable to anyone that people keep different schedules in different places. Don't try to apply your limited little world on everyone else.

Increased traffic...

[sleeping143]

I think it's safe to say the traffic spikes, especially from asia and the south pacific, is due to the tsunami that hit. http://en.wikipedia.org/wiki/2009_Samoa_earthquake

Re:Skylab Shreds

It's elementary my dear Watson. P2P. Someone's firing up Bittorrent (hence, every country in the world with long streams to those actually grabbing data).

Hey mods! Don't mod arkowitz "Troll"

[PCM2]

This is the guy whose product we're talking about. He wants to explain himself. If you think he tried to use Slashdot to advertise his product, you don't have to mod him up, but if you mod him down to -1 then he'll drop below a lot of people's thresholds and they won't even see that he tried to participate. That's not being fair.

Re:Hey mods! Don't mod arkowitz "Troll"

[tenco]

This guy is obviously trolling slashdot by posting a slashvertisment. I think it's right to mark him as that.

Re:Skylab Shreds

[ozmanjusri]

You're suggesting that for the five day period in question, the majority of people work up at the same time GMT? Not 7am local time, but 9pm GMT everywhere in the world?

No, I'm suggesting that people who work across timezones are aware of other people's schedules and organise their own to coordinate.

I work regularly with a group in Arizona and another in Shanghai. I know what times they get to work, what times they leave and I plan my activities to work with that. They do the same for my GMT +8 timezone.

It is an increasingly common mode of work.

He is the ceo [see his youtube comments]

This is a big advertisement. The guy even admits he's the CEO in the youtube comments, but is combative about how that matters. Yet he posts it here without disclosing that, very very shady.

Re:Skylab Shreds

[osu-neko]

No, I'm suggesting that people who work across timezones are aware of other people's schedules and organise their own to coordinate.

Actually, that'd be the opposite of what you were previously suggesting. You're replacing "a seeming semi-concert" caused by people tending to do the same thing at the same time of day with actual, intentional coordination.

2 possibilities

[ILuvRamen]

Everyone wants to think botnet but I have a second theory that's kinda out there. Maybe it's Google's international search engine robot servers all hitting it on a schedule to update their indexes. Why they'd be that synchronized I don't know for sure though. Maybe the google master controls decide it's time to update that website's index and it doesn't want the UK's google to show something 2 days later than the US version or people might find out and bitch about second rate service for their country so they signal all the robot servers everywhere to hit it at once.

m$win phoning back home

just as simple as that,

Re:m$win phoning back home

with 622KB MP3 download. Link to Andy Zebrowitz' website. (Um. thanks, I guess, Brett Taylor) UPDATE: Ferl

my brain hurts...

... from the retarded question..

my guess.. state is a multinational organization with several different employees logging in from different embassies all over the world.. multiply that by the fact that these employees surf local sites (remember there are hundreds at each site) then combine that with the usual suspects that will attack a us network any way they can.. yeah this is normal firewall activity.

PS the graph sucks, and doesn't provide any real detail.. throw it out in a parseable database and i'm good... state uses splunk.... any anyone who is smart would use a NORMAL log parsing utility.. graphs are pretty for managers techs use stuff they can read and parse

Re:Skylab Shreds

[tsm_sf]

And this would explain hits from every country in the world at the same time on the same day?

IMO looks like botnet activity.

Re:Skylab Shreds

[osu-neko]

Some people also work at night and browse at odd hours you know. Just because it doesn't coincide with your personal ratrace schedule means nothing.

I have lived in 6 countries and it's readily noticeable to anyone that people keep different schedules in different places. Don't try to apply your limited little world on everyone else.

Um, that was my point. Try some reading comprehension. The facts you've just stated should spread the traffic out, and thus do not explain worldwide time-coordinated spikes.

Re:Skylab Shreds

[ozmanjusri]

People getting to work in US Mountain Time Zone IS "a seeming semi-concert". Do you think they all get together and plan their commutes?

I know what it is...

God.

What!

[Korbeau]

He finds it surprising that people actually look at government websites?

I find it surprising too! :)

Re:Skylab Shreds

[fatp]

Does this mean anything?

It means the logs are incomplete

Re:Skylab Shreds

[Anachragnome]

Bingo. My thoughts exactly.

Unless his gives up some more data, hard to tell for sure.

But, I agree, it sounds like someone is using their employer's (government)bandwidth to torrent. Could be a machine that someone shuts off the monitor on but P2P downloads overnight with a scheduled P2P app.

The peaks/valleys might be explained by reset packets introduced by the ISP temporarily killing the outbound requests and it takes the inbound requests awhile to trickle off.

You can see this same type of log traffic by simply starting a torrent, waiting a little bit, then stopping the P2P client, waiting awhile again, then restarting it. Rinse, repeat and you will see something that looks awfully close to what you have.

Reset packets essentially create the same traffic pattern, but for a different reason (ISP- introduced traffic "shaping").

HOLY FUCKING SHIT!

Holy fucking shit Batman! An Ask Slashdot that could not have been solved easily with an Ask Google! I never thought I'd see the day *wipes away a tear*

Re:Skylab Shreds

It might also be helpful to have a finer resolution on the time scale. Eventually we might see the waves from every country at the same time become broken up into pieces separated on small time intervals that were smaller than the resolution of the graph. Again this may provide more clues as to what's going on.

Then again, we might see they are simultaneous even down to the resolution of one second!

Mod Underrated instead

I believe you can mod 'Underrated' if you don't want to give him karma but still raise his score.

Not enough information

[ebrandsberg]

While this looks interesting, there isn't enough information to determine the cause. What were the packets?

It could be DNS requests based on the expiration of a domain on the stripes. The content on the website may be expiring at particular times. Someone may be posting on blogs, or tweeting with a link to the page.

Simply put, without knowing what the content is, and filtering out "explainable" traffic, then looking at the result, any pattern is just an interesting curiosity, nothing more.

Re:Skylab Shreds

[Z00L00K]

I'm more thinking that there is one or more machines behind his firewall that were in the process of sending spam or were infected by a bot of some type during the times where there was a cross country stripe, and that made his IP address visible to the world, and that in turn started probes back, or even that it was bot control attempts that then did show up as country specific stripes.

So I would suggest a check of all machines behind the firewall for virus infections as a first measure.

What can be seen in the log is just the symptom, not the cause.

Re:Skylab Shreds

[Tamran]

I would wager that if he was to look at outbound traffic at the same time as the inbound "stripes" he would indeed find a correlation. For example, if you ping some IP address it should send you back a packet of data. Perhaps those strips aren't so representative of everyone else all of a sudden looking at the site but the site looking at everyone else and getting some kind of answer back?

I'm no sys-admin, but it's a logical hypothesis.

Tamran

Re:Skylab Shreds

[Jane+Q.+Public]

Ahah. So you are why my costs for bandwidth are so high.

Re:Skylab Shreds

[bakes]

Yeah he does. All the plotted traffic is inbound. And yeah, botnet seems the most likely explanation.

Strange how they don't appear in the first half of the graph though. I didn't know that botnets took the weekends off.

Re:Skylab Shreds

[The+Archon+V2.0]

Not sure what it means, but I'm tempted to plug-in Guitar Hero and jam along to your firewall logs.

Just let me finish my Klax game first.

Re:Skylab Shreds

[bakes]

Piss-poor ad though. How many people saw the video and thought "I must get me some of this graphing tool!"? My first thought was "interesting way of presenting information, but his graphing tool is crap".

News Items on BBC or CNN?

[thingie]

I'm thinking that the strips are a news item relevant to the agency running on a world-wide news channel (BBC/CNN/Al Jazeera) and then when a local media picks up the story.

Re:Are the #s supposed to be multiplied by 40?

[slicerwizard]

I would say that they have to be. He didn't take 7.5 packets from his 1/40th filtered data and multiply by 40 to get 300, did he?

If so, it's pretty stupid of him to not scale the numbers for presentation or at least mention that "Oh yeah, that 300 really means probably about 12,000..."

And not doing the geolocation on all of the data himself - WTF?

Re:Skylab Shreds

sounds like a botnet to me with the net controller in a specific timezone.

Re:Skylab Shreds

Data source is probably fake too, governement's firewall logs are (or should be) classified information.

Re:Skylab Shreds

[KshGoddess]

Yes they do. They plan to all get in my way. It's a vast government conspiracy to have everyone in Denver go to work at 8am and leave at 5pm. Well, they're in my way on my way from work, as I'm one of those opposite-hours people.

Re:Skylab Shreds

[TangoMargarine]

Why is the ad "piss-poor"? If it's on a technical basis, yeah it didn't convey much in the way of information, but it didn't sound like he was really trying to convey much. Which is a different reason to be displeased with him. And if you're criticizing it on an artistic basis...well, I don't see why everything in front of our eyes must be smoothly rendered with swooping camera angles that cause some kind of visual orgasm when you see it. It was perfectly sufficient for me in that regard.

Re:Skylab Shreds

[TangoMargarine]

Oh crap. Ad---I just got that. If he's trying to sell the renderer thing as a product, yes, it sucks. My apologies.

Re:Skylab Shreds

[HybridJeff]

The graph is kind of misleading, its not actually to scale and its not showing the 5 days he claims in the youtube description. Go to around the 3:05 mark and watch the time stamp when he mouses over Romania. On the far right you can see an early date of 2009-09-15, as he scrolls to the right we can see a date of 2009-09-28 at the second stripe which is roughly in the middle of the graph, continuing on the far right hand side portion of the graph is dated 2009-09-30. The left hand side of the graph shows results over the span of 13 days and the right hand side taking up the same visual space only shows 2-3 days. Basically I just wasted 15 minutes looking over worthless data on a random youtube video that doesn't actually say anything.

Re:Skylab Shreds

Presumably it is all the US manufacturered electronics reporting back to HQ.

For your own safety of course.

Re:Skylab Shreds

[Anachragnome]

In hind sight, this MAY be very dangerous.

It all depends on what government agency you are talking about. If sensitive information is at stake, you could have serious problems.

A scheduled P2P application uploading the contents of a hard drive as a torrent would be a worst case scenario. Judging by the logs, it would seem that if this IS a P2P app, a LOT of people are interested in that torrent.

It wouldn't be that hard to script a drive imaging application to create an .iso of the drive then another script to periodically upload the newest image as a torrent.

Fun stuff.

Re:Skylab Shreds

Does this mean anything?

Skynet? ;)

What about outbound packets ?

[Alain+Williams]

It could be something on the govt agency's computers connecting out at certain times and what we see are the reply packets coming back in. Maybe one of their own cron jobs.

Without a whole bunch of more information we are guessing in the dark:

• What agency ?
• What sort of packages ? UDP/TCP/ICMP ? What port numbers ?
• The remote addresses: are they the same ones all the time, or a much smaller set ?
• The local addresses: how many are these packets being sent to ?
• Correlate protocol and IP address

Until we know more -- it is not worth spending time on this.

Re:Skylab Shreds

[nospam007]

It's the times when the latest 'Hero', 'Chuck', 'Castle' etc version gets posted and the planet's consumers grab it simultaneously.

During weekends not much is posted.

Worst. Advert. Ever.

"Hi! I've created this awesome freaky-looking visualisation tool! It's so fucking useless that even I, the author, can't actually determine any useful information from the output it shows me, so I have to go ask some random commenters on a website if they've got a single sodding clue what's going on.

Wanna buy it?"

Re:Worst. Advert. Ever.

[Arimus]

Err... he didn't create the tool (and argueably not the data set - the 'net users did that part :) )

Re:Worst. Advert. Ever.

[ceoyoyo]

Actually, it sounds like he did create the tool, and there's no particular reason to believe he didn't create the data too.

Couldn't even venture a guess?

Simplest explanations are:
1) Some distributed botnet is activated to do an attack or a probe. These may be distributed all around the globe, though some infection vectors are country/language-specific.
2) Timezones. China and India are on the same side of the globe, so people are awake at mainly at the same time. This might work with previous point: even if a computer is host to malware, it will still turn on and off when the user turns it on and off.
3) East-block countries (Romania, Russia, Poland) are famous for their hacker culture. There are probably dozens of universities full of people motivated to gain notoriety (and future jobs) by probing US agencies. India, China, Korea probably also. Literally _anything_ can come out of sources like that.

Peak 100 packets per _hour_ is a pitiful amount to base any analysis on. There may very well be, say, hundred people in India that may ping a well-known US agency to check network connectivity. Heck, even I sometimes ping "whitehouse.gov" to check "long-distance connectivity." Ping commands usually send multiple packets, so even it may just be a dozen people or so. There might even be automated systems that check "network connectivity" by just pinging a few "well-known reliable sites". Google what cheap routerboxes did with NTP.

Seeing that you're asking slashdot instead of doing your job, I'll give some suggestions:
- Do check out GeoIP. They have a free database you can download and use to analyze IP addresses (and a commercial one with "more detail"), so you don't need to involve other companies with security data. You can also get some data by querying whois-databases.
- Sort the data somewhat. If there are 100 countries that don't show any activity, drop them to the end of the list or leave them out totally. That way you can see the issue at a glance, instead of scrolling around a huge list.
- Even if you're allowed only five days worth of data, try to collect more to see if there are any actual trends.
- Get a description of the firewall ruleset. Just saying "packets" might even include legitimate traffic. Is it all dropped, or some specific ports? Does it include L7-filtering (analyzing traffic contents, that is)? Milling ping packets a day don't mean squat, but a thousand invasive IDS-triggering HTTP connections might do.
- All of the above, check if you can automate it. Perl handles pathologically eclectic rubbish listing quite nicely. After a month or two, you may see if these anomalies are rare at all, or just "business as usual".

Probably there is nothing you can do about random traffic, even if it's malicious. If there's clearly malicious traffic from your own country/locale, do inform the companies (and/or the authorities). The companies might have been breached previously and are unwittingly hosting botnets, and since they get told of it by their own government agency and/or the authorities, they are very likely to do something.

Different perspective

Have you ever decided to look at the spikes from the various countries on their "Local Time"? That might show a pattern. Like all spikes might happen at 8:00 AM every morning for every country.

Also; have you tried resolving groups of IP? Have you check the IP's or blocks of IP's against various "black lists"..... There is a good chance that these are part of various botnets.

Just some different ways to look at the problem.... Hope something pans out...

my idea

[someone1234]

DDOS bots got a new target. That would explain the simultaneous bombardment from different countries.

Re:Skylab Shreds

[walt-sjc]

My first impression was botnet too, but just IP info alone isn't enough to come to a conclusion. Give me port info and packet size too. His graph is enough to go "Huh. That's interesting" and then look into it further. That's it.

Re:Skylab Shreds

[Ihmhi]

I'm not sure, I can't really parse the data mentally on a 2-D plane. Perhaps he should get one of the computers these guys use and cook up some 3D cityscape models.

Re:Skylab Shreds

[ultranova]

Any other theories?

A botnet attack? But then the activity shouldn't be concentrated by country, but spread around the world about evenly.

Or it could be that someone's seeding a torrent from behind the firewall. That would explain the suddenly starting continuous activity. It might also explain the concentration by country (language or timezone). It would help if the graph could be organized by such factors.

Re:Skylab Shreds

Actually, my thoughts were "why did the guy hacked up a poorly conceived opengl program just to visualize the logs?" The program looks very amateurish and very unimpressive. I don't know who in their right mind will spend money on something that produces that.

Re:Skylab Shreds

[emilper]

No botnet attack, just bittorrent traffic, with the stripes being times when the client used inside the "US government agency" is uploading traffic data at the request of the tracker, and the high activity countries being those with good broadband connectivity and serving lots of packets :P

Re:Skylab Shreds

[Pictish+Prince]

Yeah he does. All the plotted traffic is inbound. And yeah, botnet seems the most likely explanation.

Strange how they don't appear in the first half of the graph though. I didn't know that botnets took the weekends off.

botnets don't take the weekends off, but owners of infected machines are likely to turn off their computers over the weekend.

I can't beleive all you slashdoters are missing it

[kurt555gs]

Look at the chart. LOOK. it's obvious what this means.

BSD is dying!

Re:Skylab Shreds

[ceoyoyo]

My first thought was "why does everybody have to make everything a video?"

Re:Skylab Shreds

[bondsbw]

The graph is kind of misleading, its not actually to scale

I think the point is to show that time prior to a point of interest shows one behavior, and the time after that shows another. If he had only shown 2-3 days prior, it would have looked basically the same.

Yes, he is misleading in the video, but having extra data is forgivable.

Basically I just wasted 15 minutes looking over worthless data on a random youtube video that doesn't actually say anything.

The validity of the data has nothing to do with the rest of your post. Is 15 days worth of data suddenly less worthwhile than 5?

Skyrails makes this look terrible

http://www.youtube.com/watch?v=I2d312_dXEs

It seems to me...

[jellomizer]

Do these stripes have to do anything with your business hours....

Starting work say a 9:00 everyone logs in checks and sends their email out getting server responces will create a stripe. If other countries work with the organization they probably have their schedules match to the US time zones. (AKA working nights) So you get you start of the day stripe. After cofee break stripe, lunch stripe, etc...

The stripes are not really a big deal. I would pay more attention to the active countries

Re:Skylab Shreds

Monday?

NetWitness

Sounds like the state government should look at NetWitness.

Re:Skylab Shreds

[Pictish+Prince]

My intuition says the lines are caused by some type of botnet activity.

Speculation: he's pwned?

[AliasMarlowe]

Some context would be helpful, including what's behind the firewall, the kinds of traffic you think you're accepting, and public expectations of the services available.

Exactly. Without context, we can merely speculate that the server is pwned or under attack. This conjecture could be assessed better if there were also logs of outbound traffic as well as inbound. Also, it's not clear if the packets were being rejected (attack resisted), or being passed through (active attack or already pwned).

The stripes in the inbound packets look rather like botnet c&c traffic, which is presumably distributed worldwide. There are not many other activities which would be synchronous worldwide. Traffic from specific countries rises and stays high for extended times after some of the stripes. This could be payload updates, or other nefarious activity. Was there outbound traffic to the same sites also?

What kind of services does this site provide? One would not expect the same traffic profile for a LOC or NASA web server as for a stratum 1 or 2 NTP server, for instance. Maybe the traffic pattern is all innocent, maybe not...

Re:Skylab Shreds

[ozmanjusri]

They plan to all get in my way. It's a vast government conspiracy to have everyone in Denver go to work at 8am and leave at 5pm.

It's not the government, at least not my part of it.

Btw, did you enjoy The Truman Show?

Re:Skylab Shreds

[BrokenHalo]

What I find a bit odd is that nobody has even thought to question what business the submitter has with 5 days' worth of server logs from a US state government agency.

Possibly...

[benjic]

E.T. Phone Home?

Do you know...

[multimediavt]

...what new sites or services started the day of the first stripe? Given that you did a every 40th sample this could potentially be a sampling error, or a moire pattern caused by said sampling error.

I'd go with a site or service coming online somewhere within the organization where the data came from. If it's a higher-education institution it could have been anything or anyone setting up a website, or it could even have been a trojan or virus that is now using a machine to tunnel through the firewall and share music, video or warez.

Happy Hunting!

Birthers

It's the Birthers... very determined... very determined indeed....

Re:Skylab Shreds

[scottv67]

>I would wager that if he was to look at outbound traffic at the same time as the inbound "stripes" he would indeed find a correlation.

For firewall logs related to procotols that the firewall treats as stateful, the log entries usually have a source ip and destination ip. A single log entry covers both the packets generated by the local system as well as the responses received from the remote system. For a single stateful session, there are not separate log entries for the "outbound" requests and the "inbound" replies. In your example with ping (ICMP), some firewalls treat a ping as a stateful connection and will log just one entry that covers the outbound echo request and the inbound echo reply.

video professor

[jdc18]

Are you linked to the video professor

Not enough information... or maybe too much...

[argent]

First, as many people have noted, these stripes could easily be due to events that have world-wide interest, and the spikes due to regional events. Without knowing the site involved there's not much point in speculating.

Second, if I was the admin at the unnamed site I'd be pissed that he'd disclosed firewall trace information to a data-mining company.

Third, not disclosing his relationship to the graphing company is pretty dodgy.

Re:Skylab Shreds

[SecurityGuy]

A botnet attack? But then the activity shouldn't be concentrated by country, but spread around the world about evenly.

No, not really. It should be spread across vulnerable computers about evenly, which means it should be concentrated in large countries with significant technological infrastructure. China and India are both huge, and while a decent chunk of them are impoverished, I suspect they're still quite up there in terms of internet connected systems.

Some kind of distributed attack, possibly, or something completely benign. Look at the packets and see what they are. Looking at source alone isn't that revealing.

If it were a botnet...

[mengel]

Wouldn't you only see this sort of activity if you were hosting a control node of the botnet? Or are you thinking the botnet is scanning him by doing parallel distributed port probes?

It would be clearer if we knew the destination port distribution of these "stripes".

If its all to port 80, it could be there's a web page with a refresh that updates every few hours, and people happen to have it up on their screens...

Delete this spam article please

[xerxesnine]

By keeping this article up you are rewarding spammers and inviting more of it. When I receive spam, I mark and delete it. Don't you, Slashdot?

Second Life?

[j741]

Second Life? Is that where you go after you die? Not everyone believes in reincarnation.

Re:Second Life?

[Baloo+Uriza]

Not quite. It's actually a virtual reality environment anybody can join. Feel free to check it out.

You are ready for the second stage

[n2rjt]

Now that you have isolated a few categories of interesting packets, you should study samples of those interesting packets in more detail. Many have speculated about what the "stripes" mean, but you can find out more by investigating one stripe.

Romania

[vacarul]

if it's Romania in there, it's BitTorrent.

Dugg for Romania!

oh wait...

Visual analysis

[HooliganIntellectual]

Somewhere, Edward Tufte is rolling over in his bed.

Re:Skylab Shreds

[TommydCat]

How sure are we that the resulting data from this service is accurate? Is there a pattern between the times and resulting countries because they're mistakenly parsing the date/time of the log instead of the actual IP address? Or if they're only parsing every 40th entry maybe they're injecting bursts of "wrong" data as part of a trial?

I see no reason to jump to any conclusion as long as there may be doubt about the validity of the data you/we are looking at.

Re:Offtopic?

[not_hylas(+)]

Glib.
Surely, you can type, dear one - defend your rating.

http://slashdot.org/my/journal

ask slashdot advertising = FAIL

[nufrosty]

advertising in the guise of an ask slashdot.. annoying.

Re:Skylab Shreds

anyone now what activity to port 24477 tcp/udp implies ? i get hit all the time on port 24477 for some reason.

Re:Skylab Shreds

[drougie]

first and only theory i'm buying here so far..

Paypal payments for in game purchase?

You might want to reconsider that. That would be a definite show stopper for me, were I looking for an FB framework. Until Paypal is regulated as the bank they are instead of allowing them to play bank, I won't be using them. Seems to me this would be a negative selling point for the source as well.

Re:Skylab Shreds

[Khyber]

What's sad is I have access to about 50/50 (wireless bridging of my personal internet connection with my fiance's university account via the wireless signal that reaches our apartment) and I saturate it mostly with sending live research data/footage to those partners as well so they can watch how their money gets spent and used.

Imagine if I had a 100/100 connection. I'd be putting your bills thru the skyscraper antenna!

Re:Skylab Shreds

Actually, the entire article is astroturf. The guy is the CEO of the company that makes the software in the video.

So my first impression is, he's seeing the spike because a short while before the spike, he just submitted his bullshit advertisement story to another web site. I'm sure that shortly after he posted the story to slashdot, he saw the exact same thing happen again... go figure.

So what he is seeing in the video, is the fruits of his labor.

Re:Skylab Shreds

[Hadlock]

Right but this is only 300 packets or so from each country. How much data is 300 packets, potentially? 20KB? Bit torrent usually pushes an order of magnitude more data than that.

Re:Skylab Shreds

[LBt1st]

I would assume it's from global botnets running scripted attacks in unison at particular times.

Re:Skylab Shreds

[hardwarefreak]

Any other theories?

A botnet attack? But then the activity shouldn't be concentrated by country, but spread around the world about evenly.

Or it could be that someone's seeding a torrent from behind the firewall. That would explain the suddenly starting continuous activity. It might also explain the concentration by country (language or timezone). It would help if the graph could be organized by such factors.

You people have lost your damn minds. The highest "peak" was ~350 packets PER HOUR. Not per second, but PER HOUR the narrator said. That's so low I'm guessing this probably is router-router traffic, BGP updates or similar. 350 packets isn't even a meg. It's slightly over 512KB assuming ethernet frame size of 1514 bytes. There is so little traffic described here it's not worth analyzing. Seriously. The guy who came up with this is a loser.

Re:Skylab Shreds

[tokul]

The question is - why is there suddenly traffic suddenly appearing from every country in the world at the same time? and again a number of hours later? And again 5 or 6 times?

googlebot, msnbot, slurp, insert your favorite web crawler here.

Re:Skylab Shreds

Yeah, that's probably when Bob from accounting gets on bit-torrent to download his porn.

Re:Skylab Shreds

[jon3k]

Who knows, we don't have enough information. We need to analyze individual streams in both directions with port numbers and ideally even packet payload. We also need to know the firewall action (drop, allow, etc).

Not even close to enough information. Anyone who claims to have any idea what this means is grasping at straws.

bad data, bad visualization, idiot person

Bad data = Bad visualization = stupid advert
if you watch the labels closely as he moves the mouse around you notice this that there is are ten days of missing data in the middle - exactly where the first vertical stripe appears (2009-09-27 hr:20) - which means that he is an idiot for joining two disjoint data sets: the one without the stripes and the one with the stripes.

Basically at the left side it starts with: 2009-09-14 hr:22, goes to 2009-09-16 hr:19 and SUDDENLY jumps to 2009-09-27 hr:20 and than smooth to 2009-09-30 hr:03 till the end

IDIOT !
IDIOT !
IDIOT !

Need to rule out aliasing, confirm accuracy first

[Medievalist]

Try using some other sample intervals and see if your patterns stay consistent. You might be aliasing.

I'd try 101 and 17 right off the bat, since prime numbers work best for detecting aliasing in my experience (I'm not a mathematician so my methods are empirical, I stole those numbers from bamboo and locusts respectively).

Those plaids may be an artifact of your sampling interval. The real patterns might even be more interesting!

I don't care if it's an ad.

[Medievalist]

The day someone invents a working greasemonkey script that lets me remove meta-whining from conversations I will throw a party.

Personally, I am interested enough in these data visualizations that I don't care if you are "advertising" your company and/or products.

I don't know if you read my earlier comment about aliasing, but the data filtering you used here (that removed the "plaid" effect) could easily be acting as a poor-man's anti-aliasing system.

Try using prime numbers in your sampling intervals. You might be surprised what happens. Most networks have broadcast traffic that hits at regular 60-second intervals (due to unimaginative default settings in commercial software and hardware) that introduces regular "pulses" into the data flows. In very large switched networks this can create amazing patterns as the switches dynamically fiddle with the broadcast traffic to optimize per-port throughput. In my experience no pattern is real unless it shows up using multiple sample intervals on the same traffic. Check out this video where Burton MacKenzie abuses the Nyquist limit.