Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crazy Firewall Log Activity — What Does It Mean?

Posted by kdawson on from the mainly-on-the-plane dept.

arkowitz writes "I happened to have access to five days worth of firewall logs from a US state government agency. I wrote a parser to grab unique IPs out, and sent several million of them to a company called Quova, who gave me back full location info on every 40th one. I then used Green Phosphor's Glasshouse visualization tool to have a look at the count of inbound packets, grouped by country of origin and hour. And it's freaking crazy looking. So I made the video of it and I'm asking the Slashdot community: What the heck is going on?"

3 of 344 comments (clear)

  1. I see the people who have a clue haven't gotten by jra · · Score: 0, Redundant

    here yet. :-)

    Though I did like the Guitar Hero riff..

    The time-based stripes look like a botnet being triggered. It's possible the increases in traffic from certain places after the stripe pattern commenced might be due to distribution in infections by a botnet client.

    To make any real judgement on that, it would probably be necessary to see more like 6 months worth of data all at the same time.

    I suspect Bill Cheswick and Steven Bellovin might have some interesting comment to make on this; I chat with Steve occasionally; I'll point him at the thread. (For those not playing the home game; they wrote the Wily Hacker book, and used to run AT&T's corporate firewall.)

  2. The smell of fresh grass by noidentity · · Score: 0, Redundant

    Hmmm, I don't know. As I sit here sipping my soda, the imagery reminds me of various things. One thing comes to mind, though.

  3. Re:Skylab Shreds by ozmanjusri · · Score: 0, Redundant
    You should have some clue where inbound traffic is coming from and why.

    And talking of getting clues, this also needs more context.

    Computers are used by people. People who wake up, work, play, sleep, have weekends, business holidays, religious holidays, events and a pantheon of other reasons why they might act in seeming semi-concert.

    Without knowing what network this firewall is on, what reasons there might be attempted access, we have no way of analysing the results. The "lines" could just be timezone effects.

    On a side note, it's amusing to watch the way timezones affect Slashdot mod points, especially on controversial comments. Around 9pm my time (Perth, Western Australia), there's always a flood of downvotes for pro-FOSS or anti-proprietary comments. Work that one out...

    --
    "I've got more toys than Teruhisa Kitahara."