Real-Time Cyber-Attack Map

First time accepted submitter anavictoriasaavedra writes "In October, two German computer security researchers created a map that allows you to see a picture of online cyber-attacks as they happen. The map isn't out of a techno-thriller, tracking the location of some hacker in a basement trying to steal government secrets. Instead, it's built around a worldwide project designed to study online intruders. The data comes from honeypots. When the bots go after a honeypot, however, they're really hacking into a virtual machine inside a secure computer. The attack is broadcast on the map—and the researchers behind the project have a picture of how a virus works that they can use to prevent similar attacks or prepare new defenses."

who will get the most use out of this?

[hguorbray]

the crackers will probably use this to test their bots and make even better bots and malware...

seems to be the way of the world

-I'm just sayin'

HUR DUR

[Anonymous Coward]

outlaw maps!

Re:

[alphatel]

Okay that's fine, but why do all the hackers seem to live in Aachen (DE)?

Re:

[besalope]

Okay that's fine, but why do all the hackers seem to live in Aachen (DE)?

If you read it again, it's from X location TO Aachen, Germany. Likely they have a honeypot there.

Re:

[Jesse_vd]

From the FAQ (Click the ? in top left):
"What is going on in Aachen?!

Most of the time, you will see attacks targeted against Aachen. This is because our honeypot at RWTH Aachen University is very active and captures attacks against hundreds of target IP addresses. This does not mean that Aachen is attacked more often than the rest of the world!"

Re:who will get the most use out of this?

[Baloroth]

The honeypot only seems to recognize worms that are already recognized by AV software. All the bot makers would have to do is test it against AV software themselves, either directly or through a scanning-upload site (or even just by checksum, as the map does). It just gives researchers more of an idea of where and with what people are infected (looks like mostly variants of Conficker from the spot checks I did). Bot makers already have all the resources this gives to test their malware against. Might serve as an e-peen boost for them to see how common their malware is, but I doubt it will serve much beyond that.

Re:

[Xemu]

The honeypot only seems to recognize worms that are already recognized by AV software.

no, the honeypot display only the worms that are already known.

All the bot makers would have to do is test it against AV software themselves,

Yes, this is what bot makers do. The stupid ones use Virustotal for this testing. The smart ones have their own private test cloud.
If this map exist or not does not change the bot maker's testing process.

Re:

[Guru80]

It would seem to me that the "honeypots" wouldn't employ their state of the art security they develop in response to how the attacks take place thus not allowing crackers to test out their own advancements against a target known to deploy the advancements they are seeking to get around.

Re:

[jhoegl]

Who you callin cracka?

Re:

[Azure Flash]

-1 Insightful? How does that work?

Re:

[rb12345]

Enough previous trolling to get a terrible karma rating (dropping initial scores to -1), plus a 50:50 moderation split between Troll and Insightful, apparently.

Re:

[Caesar Tjalbo]

-1 Insightful? How does that work?

Read "insight fool".

Maybe a few bugs

[Dereck1701]

There might be a few bugs in their mapping app, unless it is so advanced it can track oceangoing vessels. A bunch of hits on the map I am looking at are about 1,000 miles off the coast near Washington DC. I also wonder if they're going to include social attack emails at some point (I believe most reputable Webmail apps include an IP of the sender). I don't know about anyone else but at my workplace I regularly get 5 or more attempts a week to get a virus into my system by pretending to be a FedEx tracking code, or a "contract in danger" message, some of them are even rigged to look like they're from OUR It department. Luckily our spam filter catches most of them but once in a while one slips through.

Re:

[sbcc]

The answer about mapping inaccuracies from their blog post:

Why are there so many attacks and yet so few different attackers (red dots)?

This is just an issue of precision in geo location lookups. We identify the red dots by their GPS location and many IP addresses map to the same GPS location, even if the corresponding machines are actually not really close to each other. So one single red dot can represent many different attackers.

As a sidenote, IP geolocation is not 100% accurate, either. In the past we ha

Mapping inaccuracies

[Andy Prough]

The real problem appears to be that they are laying their data out over iOS6-generated maps.

Re:

[Maxo-Texas]

hehehe. that's hysterical. wish I had mod points.

Re:

[Seeteufel]

It is really a sad state of affairs, so few attacks originating from Africa and the United States. Guess it must be IP-racism.

Re:

[Zedrick]

Perhaps it's not perfect, but it's quite accurate. At my workplace I see about 10(*) successfull attacks/day (against customers with well-known holes in WP-plugins or Joomla-components), and ther access.log says the same thing as the map.

I wish my boss could authorise hireing a hitman + planetckets so he could take them out. Or at last have him shoot the machines running the bots.

* and many many thousand malware-mails that are eaten by amavis on the mailserver before they reach their destination

where can i sign with them?

[ruir]

Would love to run a honeypot; already visited their own website and didnt find any link for downloading one though.

Re:

[dominious]

Click on the big question mark on the top left corner:

If you are already a member of the Honeynet Project, you can just publish your captures to hpfeeds and they will automatically show up on this map. If you are not a member, you can run your own copy of this map on your own server. Code is on GitHub (LGPL license).

Re:

[ruir]

thanks!

Posting IPs of Security Researcher Virtual Machine

[lalena]

The site displays the source and destination IP of each attack. Doesn't this give the attackers the list of IPs of the Security VMs they should avoid? Maybe they change the IPs regularly?