Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crazy Firewall Log Activity — What Does It Mean?

Posted by kdawson on from the mainly-on-the-plane dept.

arkowitz writes "I happened to have access to five days worth of firewall logs from a US state government agency. I wrote a parser to grab unique IPs out, and sent several million of them to a company called Quova, who gave me back full location info on every 40th one. I then used Green Phosphor's Glasshouse visualization tool to have a look at the count of inbound packets, grouped by country of origin and hour. And it's freaking crazy looking. So I made the video of it and I'm asking the Slashdot community: What the heck is going on?"

5 of 344 comments (clear)

  1. Re:vertical stripes by jmauro · · Score: 4, Informative

    It looks like an active attack probably from one source with a number of controlled bots helping out.

    The packets from every country at once are probably spoofs sender IP addresses from one or more sources (probably the spike countries).

    The spiked country traffic are probably the controlled bots attacking the host actively.

    Without seeing the actual packet data it's just a guess though.

  2. Re:Another Slashdot Ad? by Jah-Wren+Ryel · · Score: 5, Informative

    Wait, is this just an advertisement for Glasshouse? The voice in the video on Green Phosphor's website is exactly the same.

    It is totally the same guy - the background noise sounds identical too - like he recorded it on the same microphone with the same environmental conditions.
    Hell, he even starts each narration exactly the same with the pattern of, "Hi <name> here."

    --
    When information is power, privacy is freedom.
  3. Re:Another Slashdot Ad? by NoTheory · · Score: 5, Informative

    If you check the other uploaded videos on youtube by the same guy (who's name appears to be "Ben Lindquist", the CEO of Green Phosphor, found on blogger and twitter), there is an introduction to Green Phosphor's Glasshouse. So yeah, Slashvertisement done in the style of Lost.

    Welcome to the future of advertising. /sigh.

    --
    There are lives at stake here!
  4. Re:I'm confused by sopssa · · Score: 4, Informative

    Eh what? There's several GeoIP databases that you can install locally. In fact it seems like Quova is the only database you have to query remotely, which is somewhat crazy if you ask me. Or buy a server from them.

    MaxMind is the best known one. Installing it on Linux server using yum merely takes "yum install GeoIP*"

  5. Re:Skylab Shreds by HybridJeff · · Score: 4, Informative

    The graph is kind of misleading, its not actually to scale and its not showing the 5 days he claims in the youtube description. Go to around the 3:05 mark and watch the time stamp when he mouses over Romania. On the far right you can see an early date of 2009-09-15, as he scrolls to the right we can see a date of 2009-09-28 at the second stripe which is roughly in the middle of the graph, continuing on the far right hand side portion of the graph is dated 2009-09-30. The left hand side of the graph shows results over the span of 13 days and the right hand side taking up the same visual space only shows 2-3 days. Basically I just wasted 15 minutes looking over worthless data on a random youtube video that doesn't actually say anything.