Slashdot Mirror
Crazy Firewall Log Activity — What Does It Mean?
arkowitz writes "I happened to have access to five days worth of firewall logs from a US state government agency. I wrote a parser to grab unique IPs out, and sent several million of them to a company called Quova, who gave me back full location info on every 40th one. I then used Green Phosphor's Glasshouse visualization tool to have a look at the count of inbound packets, grouped by country of origin and hour. And it's freaking crazy looking. So I made the video of it and I'm asking the Slashdot community: What the heck is going on?"
I read the author and learned a little about network usage patterns and how to look at them. I read your post and saw a lot of complaining. Point goes to the original author
In a fly over state you have elite coast time, local time, log cabin time and IOU time on the west coast.
Same bots would be set for when the average US MS admins clock off from their daily malware hunts and go home for tv, bar, sport and family.
How many attempts to 'hack' are just hits from MS boxes owned for an afternoons work, left on auto for months after?
As for the counties, most are places where they invest in basic education, ie real maths skills. The people who did not get a job/visa out have the brains and time to look for the other kind of Visa.
For the next project trap the packets, see what they are seeking ie MS database hunters, MS pw sniffers, MS credit card finders?
Or are they Unix/exotic OS worms for deep sleeper code for instant lights out in 4 years?
Domestic spying is now "Benign Information Gathering"
Why do you have access to government logs yet don't have a better way to figure out what it is than ask on slashdot?
They use MS all day and suffer from group think?
At best they love the firewall hits as they can put in budget upgrades every year.
Best not to ask why or think to much, just protect and enjoy the MS lunches/bribes.
If they are smart and ask why, what can they expect - told to buy more MS?
They are looking after some local structure in a fly over state, thinking is not expected or needed.
Go running to a 'fusion centre' and ask for FBI/NSA help with print outs might just expose one of their taps into your department.
At best your told they are looking into it (and your life gets complex), or you are found by friend/family a few days later.
Ask on slashdot lets you share the info and not risk your job/life/promotion/budget.
Domestic spying is now "Benign Information Gathering"
...why do I care who is speaking? It's just random information to me. Sure the format they present their data does kinda suck, but there is information in these graphs. If someone else can do better then by all means I'm waiting for their slashdot article.
Well, feel free to start a company anytime since you see it so clearly
I looked at the traffic by destination port and hour, and it looks like botnet activity: all of the traffic producing those stripes is aimed at either port 137 (windows networking) or no port (icmp). Thanks for your comment; this is the type of informed response I was hoping to get with my post.
The spoofing makes sense; really good point. The scary thing is it kind of looks like something on the inside of this network may be participating in the botnet, I suppose...
Awww, man. I shoulda just wrote this one, saved myself some time.
Breakfast served all day!