Slashdot Mirror

← Back to Stories (view on slashdot.org)

Real-Time Cyber-Attack Map

Posted by timothy on from the get-to-the-next-phone-booth dept.

First time accepted submitter anavictoriasaavedra writes "In October, two German computer security researchers created a map that allows you to see a picture of online cyber-attacks as they happen. The map isn't out of a techno-thriller, tracking the location of some hacker in a basement trying to steal government secrets. Instead, it's built around a worldwide project designed to study online intruders. The data comes from honeypots. When the bots go after a honeypot, however, they're really hacking into a virtual machine inside a secure computer. The attack is broadcast on the map—and the researchers behind the project have a picture of how a virus works that they can use to prevent similar attacks or prepare new defenses."

36 comments

  1. who will get the most use out of this? by hguorbray · · Score: 5, Insightful

    the crackers will probably use this to test their bots and make even better bots and malware...

    seems to be the way of the world

    -I'm just sayin'

    1. Re:who will get the most use out of this? by alphatel · · Score: 2

      Okay that's fine, but why do all the hackers seem to live in Aachen (DE)?

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    2. Re:who will get the most use out of this? by besalope · · Score: 1

      Okay that's fine, but why do all the hackers seem to live in Aachen (DE)?

      If you read it again, it's from X location TO Aachen, Germany. Likely they have a honeypot there.

    3. Re:who will get the most use out of this? by Baloroth · · Score: 3, Insightful

      The honeypot only seems to recognize worms that are already recognized by AV software. All the bot makers would have to do is test it against AV software themselves, either directly or through a scanning-upload site (or even just by checksum, as the map does). It just gives researchers more of an idea of where and with what people are infected (looks like mostly variants of Conficker from the spot checks I did). Bot makers already have all the resources this gives to test their malware against. Might serve as an e-peen boost for them to see how common their malware is, but I doubt it will serve much beyond that.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    4. Re:who will get the most use out of this? by Anonymous Coward · · Score: 0

      No its not. It says Attack "From." How on earth would it be helpful to see where your own honeypot is located?

    5. Re:who will get the most use out of this? by Guru80 · · Score: 1

      It would seem to me that the "honeypots" wouldn't employ their state of the art security they develop in response to how the attacks take place thus not allowing crackers to test out their own advancements against a target known to deploy the advancements they are seeking to get around.

    6. Re:who will get the most use out of this? by Jesse_vd · · Score: 1

      From the FAQ (Click the ? in top left):
      "What is going on in Aachen?!

      Most of the time, you will see attacks targeted against Aachen. This is because our honeypot at RWTH Aachen University is very active and captures attacks against hundreds of target IP addresses. This does not mean that Aachen is attacked more often than the rest of the world!"

    7. Re:who will get the most use out of this? by Anonymous Coward · · Score: 0

      Thats the targets though (yellow dots). Not the red dots...that's where the attacks originated. Hence, not where the hackers live.

    8. Re:who will get the most use out of this? by jhoegl · · Score: 1

      Who you callin cracka?

    9. Re:who will get the most use out of this? by Anonymous Coward · · Score: 0

      Please try a bit harder.

    10. Re:who will get the most use out of this? by Xemu · · Score: 1

      The honeypot only seems to recognize worms that are already recognized by AV software.

      no, the honeypot display only the worms that are already known.

      All the bot makers would have to do is test it against AV software themselves,

      Yes, this is what bot makers do. The stupid ones use Virustotal for this testing. The smart ones have their own private test cloud.
      If this map exist or not does not change the bot maker's testing process.

      --
      Tell your friends about xenu.net
  2. HUR DUR by Anonymous Coward · · Score: 1

    outlaw maps!

  3. Should call it by DonJuanTron · · Score: 0

    HerpeMap

  4. It needs a soundtrack by Anonymous Coward · · Score: 0

    N/C

  5. Re:This map is inaccurate by Azure+Flash · · Score: 1, Funny

    -1 Insightful? How does that work?

  6. America has far fewer attackers by Todamont · · Score: 0

    We need more attacks orinating from the USA! We're losing! What the hell is Brazil smoking? Get us some of that!

    --
    Kharma is like a boomerang. Mine is broken.
  7. Maybe a few bugs by Dereck1701 · · Score: 3, Interesting

    There might be a few bugs in their mapping app, unless it is so advanced it can track oceangoing vessels. A bunch of hits on the map I am looking at are about 1,000 miles off the coast near Washington DC. I also wonder if they're going to include social attack emails at some point (I believe most reputable Webmail apps include an IP of the sender). I don't know about anyone else but at my workplace I regularly get 5 or more attempts a week to get a virus into my system by pretending to be a FedEx tracking code, or a "contract in danger" message, some of them are even rigged to look like they're from OUR It department. Luckily our spam filter catches most of them but once in a while one slips through.

    1. Re:Maybe a few bugs by Anonymous Coward · · Score: 0

      I have a little trouble parsing "1,000 miles off the coast near Washington, DC". About the same latitude as Washington, DC, perhaps. The SS Bermuda was in that general area recently?

    2. Re:Maybe a few bugs by sbcc · · Score: 2

      The answer about mapping inaccuracies from their blog post:

      Why are there so many attacks and yet so few different attackers (red dots)?

      This is just an issue of precision in geo location lookups. We identify the red dots by their GPS location and many IP addresses map to the same GPS location, even if the corresponding machines are actually not really close to each other. So one single red dot can represent many different attackers.

      As a sidenote, IP geolocation is not 100% accurate, either. In the past we had US systems being mapped to asian countries and similar problems.

    3. Re:Maybe a few bugs by Zedrick · · Score: 1

      Perhaps it's not perfect, but it's quite accurate. At my workplace I see about 10(*) successfull attacks/day (against customers with well-known holes in WP-plugins or Joomla-components), and ther access.log says the same thing as the map.

      I wish my boss could authorise hireing a hitman + planetckets so he could take them out. Or at last have him shoot the machines running the bots.

      * and many many thousand malware-mails that are eaten by amavis on the mailserver before they reach their destination

    4. Re:Maybe a few bugs by Seeteufel · · Score: 1

      It is really a sad state of affairs, so few attacks originating from Africa and the United States. Guess it must be IP-racism.

  8. Re:This map is inaccurate by rb12345 · · Score: 2

    Enough previous trolling to get a terrible karma rating (dropping initial scores to -1), plus a 50:50 moderation split between Troll and Insightful, apparently.

  9. facepalm by Anonymous Coward · · Score: 0

    cyber attack...

  10. Re:This map is inaccurate by Anonymous Coward · · Score: 0

    I am tempted to create an account just to get a -1 Insightful. It seems like quite an achievement.

  11. Mapping inaccuracies by Andy+Prough · · Score: 2

    The real problem appears to be that they are laying their data out over iOS6-generated maps.

    1. Re:Mapping inaccuracies by Maxo-Texas · · Score: 1

      hehehe. that's hysterical. wish I had mod points.

      --
      She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  12. Finally a live background image worth running. ;) by Anonymous Coward · · Score: 0

    I've searched for something that shows some kind of important global activity live, but never found anything good.
    Goldman Sachs trades (including especially the secret ones) and meetings would be a great map, but is obviously never going to happen. (Unless there's some genius cracker out there.)
    But this here is acceptable for now.

  13. where can i sign with them? by ruir · · Score: 1

    Would love to run a honeypot; already visited their own website and didnt find any link for downloading one though.

    1. Re:where can i sign with them? by dominious · · Score: 2
      Click on the big question mark on the top left corner:

      If you are already a member of the Honeynet Project, you can just publish your captures to hpfeeds and they will automatically show up on this map. If you are not a member, you can run your own copy of this map on your own server. Code is on GitHub (LGPL license).

    2. Re:where can i sign with them? by ruir · · Score: 1

      thanks!

  14. Re:This map is inaccurate by Caesar+Tjalbo · · Score: 1

    -1 Insightful? How does that work?

    Read "insight fool".

    --
    "I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
  15. Posting IPs of Security Researcher Virtual Machine by lalena · · Score: 1

    The site displays the source and destination IP of each attack. Doesn't this give the attackers the list of IPs of the Security VMs they should avoid? Maybe they change the IPs regularly?