Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Crazy Firewall Log Activity — What Does It Mean?

kdawson posted more than 4 years ago | from the mainly-on-the-plane dept.

The Internet 344

arkowitz writes "I happened to have access to five days worth of firewall logs from a US state government agency. I wrote a parser to grab unique IPs out, and sent several million of them to a company called Quova, who gave me back full location info on every 40th one. I then used Green Phosphor's Glasshouse visualization tool to have a look at the count of inbound packets, grouped by country of origin and hour. And it's freaking crazy looking. So I made the video of it and I'm asking the Slashdot community: What the heck is going on?"

Sorry! There are no comments related to the filter you selected.

Skylab Shreds (5, Funny)

conner_bw (120497) | more than 4 years ago | (#30874766)

Not sure what it means, but I'm tempted to plug-in Guitar Hero and jam along to your firewall logs.

Re:Skylab Shreds (2, Insightful)

KshGoddess (454304) | more than 4 years ago | (#30874810)

That's what I thought it was for. Srsly, they're your firewall logs. You should have some clue where inbound traffic is coming from and why. If you've got a webserver serving some sort of information that changes, this could be rss readers hitting your site. Or it could be pings of death being dropped by your firewall. It could be web surfers getting to work and hitting you up for information, or browsers grabbing some active information on your site. It could be googlebots. It could be slashdot hits for all I know. These are just theories, because this isn't my firewall or my traffic.

Re:Skylab Shreds (1)

Magic5Ball (188725) | more than 4 years ago | (#30874918)

Yes. Some context would be helpful, including what's behind the firewall, the kinds of traffic you think you're accepting, and public expectations of the services available.

Visualizing by port or protocol would be a great way to begin figure out what the traffic is.

Also, CERT and related may remember if any interesting 0-days were released just prior to the first band, etc.

Re:Skylab Shreds (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30875188)

I agree. For example, I think vaginas are fucking revolting. They look like monster faces for fucks sake. They leak blood. BLOOD. And sometimes babies, little mini-people that come into this world screaming and shitting. It's both a biological oddity and quasi-mystical force of nature, and when I think of sticking my dick into one, I imagine it temporarily transitions into a multidimensional hell where up is black and down is white and people hear with their noses. And when my cock returns, it looks and feels and smells like my cock, but it is subtley transformed in some uncanny way, never to be the same again.

Re:Skylab Shreds (3, Insightful)

bakes (87194) | more than 4 years ago | (#30874934)

Yes, he knows the firewall and the traffic. The question is - why is there suddenly traffic suddenly appearing from every country in the world at the same time? and again a number of hours later? And again 5 or 6 times? Suddenly there is inbound packets from every country in the world, for an hour or two, then it dies off. For some countries, the first 'stripe' is also the start of consistently higher traffic from that country. Does this mean anything?

I think it might be more useful to know the actual dates, and see if this corresponds with any spikes in spam or virus activity. What would be most useful would be know the dest port number of the inbound traffic, that could give us much better clues as to the reasons behind the patterns.

Re:Skylab Shreds (4, Insightful)

rednip (186217) | more than 4 years ago | (#30875100)

You're trying imagine shapes in clouds, there is no context. Video conference call, maybe? Also, could be synchronization, or backups. Spooky garbage for the tin foil hat crowd, I hear theres a good business in it these days. It's an ad for a 3D graphing service.

Re:Skylab Shreds (1)

Jane Q. Public (1010737) | more than 4 years ago | (#30875332)

Video conference calls do not last for hours or days. And why would somebody in China or Romania be "backing up" data from a state government website?

Re:Skylab Shreds (4, Insightful)

pipatron (966506) | more than 4 years ago | (#30875348)

It's an ad for a 3D graphing service.

Indeed, the guy from the graphing service is the same guy who made this.

Re:Skylab Shreds (0, Redundant)

ozmanjusri (601766) | more than 4 years ago | (#30875156)

You should have some clue where inbound traffic is coming from and why.

And talking of getting clues, this also needs more context.

Computers are used by people. People who wake up, work, play, sleep, have weekends, business holidays, religious holidays, events and a pantheon of other reasons why they might act in seeming semi-concert.

Without knowing what network this firewall is on, what reasons there might be attempted access, we have no way of analysing the results. The "lines" could just be timezone effects.

On a side note, it's amusing to watch the way timezones affect Slashdot mod points, especially on controversial comments. Around 9pm my time (Perth, Western Australia), there's always a flood of downvotes for pro-FOSS or anti-proprietary comments. Work that one out...

re Firewall? (-1, Offtopic)

jelizondo (183861) | more than 4 years ago | (#30874786)

Crazy Firewall Log Activity — What Does It Mean?

Maybe it is the Great Firewall of China?

Re:re Firewall? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30875368)

Why was this modded down? Right now, China is where the bulk of attacks are coming from. And considering that China will not offer up their logs, it COULD be from their firewall. historically, China has been willing to offer up evidence to disprove many weird things, but not on these.

What does a normal firewall log look like? (0)

Anonymous Coward | more than 4 years ago | (#30874800)

See title (and answer it).

Well duh! (0)

Anonymous Coward | more than 4 years ago | (#30874804)

It's the Chinese HACKERS!

2001 (1, Funny)

jamesh (87723) | more than 4 years ago | (#30874812)

Anyone else tempted to hum the theme tune to 2001 when they looked at that?

And also... "oh my god... it's full of stars"

Re:2001 (4, Funny)

hack slash (1064002) | more than 4 years ago | (#30874960)

And also... "oh my god... it's full of bars"

Fixed that for you.

I'm confused (2, Funny)

Anonymous Coward | more than 4 years ago | (#30874816)

Is this post an advertisement for Quova or Green Phosphor's Glasshouse?

Re:I'm confused (5, Insightful)

pipatron (966506) | more than 4 years ago | (#30875316)

I don't even know why they Quova crap is mentioned since you can look up the country for *each* your IP locally using GeoIP.

vertical stripes (1)

donaggie03 (769758) | more than 4 years ago | (#30874820)

I'm actually a lot more interested in the vertical stripes than the horizontal ones. It looks like at certain times, every country in the world sends a packet . .

Re:vertical stripes (0)

Anonymous Coward | more than 4 years ago | (#30874858)

depends on the type of server. Maybe they're running an NTP server or RSS or something else that people check periodically.

If it's popular enough then you'd get hits from just about everywhere.

Re:vertical stripes (2, Insightful)

jra (5600) | more than 4 years ago | (#30874926)

Yeah, I meant to say that it's also difficult to tell what's going on because you conflated all destination protocols and ports together.

Re:vertical stripes (1)

Firehed (942385) | more than 4 years ago | (#30875360)

That would make more sense if they were regular - but those lines appeared to show up at several irregular periods throughout the day. Though on the flip side, they may have several cron jobs that run and ping (most of) the outside world to make sure there wasn't a nuclear detonation during teatime or something.

Without knowing more about the environment and having more data, we can only speculate. But I doubt it's malicious - seems unlikely to follow that consistent of a pattern for the vertical stripes. Someone above mentioned videoconferencing as a possible explanation - it starts at the beginning of the work day and ends at the end, and is only going out to a few different places. Something along those lines would make sense for the horizontal stripes, at least.

Re:vertical stripes (4, Informative)

jmauro (32523) | more than 4 years ago | (#30874892)

It looks like an active attack probably from one source with a number of controlled bots helping out.

The packets from every country at once are probably spoofs sender IP addresses from one or more sources (probably the spike countries).

The spiked country traffic are probably the controlled bots attacking the host actively.

Without seeing the actual packet data it's just a guess though.

Re:vertical stripes (1)

dcarlo (1643925) | more than 4 years ago | (#30875342)

Could also be a spoofed source IP scan.

Re:vertical stripes (1)

wizardforce (1005805) | more than 4 years ago | (#30874902)

This could just be a case where traffic is routed through different proxies at nearly the same time by a relatively small group of computers or Something coordinated many different machines to connect to their server(s) like a botnet.

Re:vertical stripes (1)

FatherDale (1535743) | more than 4 years ago | (#30875062)

Agree. It'd be interesting to know what the trigger is for EVERYBODY to hit it at once....

Re:vertical stripes (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30875126)

quite likely the server in question is sending floods of stuff out into the world and the vertical stripes are the responses... which quickly die off as the target machines loose interest

the horizontal lines are probably botnets who, now that they've seen the 'announce' that the vertical lines represent, are interested and are picking away looking for a way in

No forreals... (1)

ihatewinXP (638000) | more than 4 years ago | (#30874822)

RTFV: this is one of the more interesting problems ive seen posted in years.... Especially as a China resident... Odd... Thought /. community?

"Does this mean anything?"

Finally (1)

sznupi (719324) | more than 4 years ago | (#30874830)

Somebody who doesn't forgets Poland.

(even if traffic from there wasn't unusual in any way)

Re:Finally (0)

Anonymous Coward | more than 4 years ago | (#30875084)

I've never forgotten Poland ever since I had my first Paczki [wikipedia.org] .

I just wish I could get them around here.

Botnets are fun (0)

Anonymous Coward | more than 4 years ago | (#30874838)

Botnet timed actvation trying to hack into the Govt database that the firewall was protecting.

Another Slashdot Ad? (5, Insightful)

Frogking (126462) | more than 4 years ago | (#30874840)

Wait, is this just an advertisement for Glasshouse? The voice in the video on Green Phosphor's website is exactly the same.

What gives?

Re:Another Slashdot Ad? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30874886)

Slashvertisements are not a new thing.

Re:Another Slashdot Ad? (5, Informative)

Jah-Wren Ryel (80510) | more than 4 years ago | (#30874904)

Wait, is this just an advertisement for Glasshouse? The voice in the video on Green Phosphor's website is exactly the same.

It is totally the same guy - the background noise sounds identical too - like he recorded it on the same microphone with the same environmental conditions.
Hell, he even starts each narration exactly the same with the pattern of, "Hi <name> here."

Re:Another Slashdot Ad? (1)

jra (5600) | more than 4 years ago | (#30874932)

Heh. Well, if they need voice talent (and they *do* need voice talent, let me tell you), I'm available.

Re:Another Slashdot Ad? (5, Informative)

NoTheory (580275) | more than 4 years ago | (#30875128)

If you check the other uploaded videos on youtube [youtube.com] by the same guy (who's name appears to be "Ben Lindquist", the CEO of Green Phosphor, found on blogger [blogger.com] and twitter [twitter.com] ), there is an introduction to Green Phosphor's Glasshouse [youtube.com] . So yeah, Slashvertisement done in the style of Lost.

Welcome to the future of advertising. /sigh.

Interesting. (2, Insightful)

Dartz-IRL (1640117) | more than 4 years ago | (#30874842)

It's pretty interesting. You can see the countries with the largest botnets in the log... which also seems to suggest that a large majority of the packets are coming from the one botnet... since a good number of them kick in at the same time.

It also looks cool. Which is critical.

botnet. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30874846)

The striping across all countries is a check whether your site is reachable from that part of the botnet, the purpose of the traffic is unclear; either to do a large data grab or it's a (very unsuccessful) bandwidth attack, or something. You should adjust it for number of internet connected users [internetworldstats.com] per country first then revisualize that.

Re:botnet. (1)

Comen (321331) | more than 4 years ago | (#30875102)

I am not sure what is unusual about this, this is the type of thing you see when you watch a big firewall's logs, I used to parse through a big checkpoint firewall's logs with all kind of trending software all the time, and you always see strange trends like this. There could be all kinds of reason why a certain counties accesses your network or webpages at a certain time of day everyday, not to mention botnet activity or really just servers scanning for open ports etc... The vertical stripes would mean that all countries accessed your network more on one day that the day before or after for some reason (there could be real reasons that would happen) you mentioned "Over a hundred packets a hour" that is small really, nothing to unusual.
This reminds me of many times we would sell customers a PIX and the first thing they do is start asking why the logs have red alarms denying packets in it... And even have customer get made because we sold them a internet connection with traffic that is coming in from all these places and getting denied. I would just explain that is why you bought this firewall, feel goos its here blocking this stuff. I do agree its interesting, but if you really want to figure out what this stuff is you can always sniff it and see what they are doing I guess.

Filter your data... (3, Insightful)

Itninja (937614) | more than 4 years ago | (#30874848)

Is this guy filtering out backscatter like DNS replication and time updates? If it's from a State agency it's entirely possible that are running a root DNS server on-site (I work st a State agency and we are). Also, what timezone is he in? Knowing that might help explain the spike at 21:00. Is that GMT? Need input!

Why am I worried? (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30874850)

So you have access to these firewalls but you don't know how to go about diagnosing the problem aside from an Ask Slashdot? Am I the only one who's a little baffled by this?

Re:Why am I worried? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30875064)

You're right, this story doesn't add up. It could be that this data has all been faked, just to advertise for the linked-to companies and products.

Mod parent up (1, Informative)

Anonymous Coward | more than 4 years ago | (#30875198)

Exactly. This guy is advertising his own not-very-creative service.

Sure - he just happens to have access to the US State Deapartment logs, but isn't smart enough to look at the packets?

  Astroturf.

Re:Why am I worried? (5, Insightful)

digitalchinky (650880) | more than 4 years ago | (#30875194)

Why baffled? This is naught more than an advert for a graphic log analysis filter riding on the coattails of the google / China thing.

There are many others that go about the same task in different ways, most are free, this one is not.

Re:Why am I worried? (1)

krej (1636657) | more than 4 years ago | (#30875226)

I was wondering the same thing. Why do you have access to government logs yet don't have a better way to figure out what it is than ask on slashdot?

Mystery? What mystery? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30874854)

Were you unaware that botnets spanned the globe, or that certain countries have a higher incidence of compromised systems? If you don't understand those things, maybe you should get someone else to manage your firewalls?

Intel (1)

MandoSKippy (708601) | more than 4 years ago | (#30874856)

I would have to say that the countries of interest on the graph seem to be the countries of interest from a malware/hacking perspective. Perhaps it's bot net activity where there is a large amount of port scans that kickoff from all over the world and then some of the "increase" after the lines would be further recon activity. All very interesting.

obviously (0, Offtopic)

flyneye (84093) | more than 4 years ago | (#30874862)

It's a Denial of Reality attack from Democratic Chinese Youth for Christ protesting Iraqi Bacon Bits embargo.
Go figure. You could probably blame Hillbillary Clinton for refusing to recognize Constitutional Rights. I'm sure the attack will subside when we send Sen. Tedward Kennedy over to give swimming lessons. This international diplomacy thing isn't hard to figure out. We'll just let the Wichita Air Nat'l Guard fire up their Windoze boxes and challenge them to a round of GO.

Re:obviously (1, Offtopic)

AlexWillisson (1348553) | more than 4 years ago | (#30875110)

Where are mod points when you need them? Parent desperately needs to be modded something OTHER than informative.

I see the people who have a clue haven't gotten (0, Redundant)

jra (5600) | more than 4 years ago | (#30874866)

here yet. :-)

Though I did like the Guitar Hero riff..

The time-based stripes look like a botnet being triggered. It's possible the increases in traffic from certain places after the stripe pattern commenced might be due to distribution in infections by a botnet client.

To make any real judgement on that, it would probably be necessary to see more like 6 months worth of data all at the same time.

I suspect Bill Cheswick and Steven Bellovin might have some interesting comment to make on this; I chat with Steve occasionally; I'll point him at the thread. (For those not playing the home game; they wrote the Wily Hacker book, and used to run AT&T's corporate firewall.)

Re:I see the people who have a clue haven't gotten (1)

Loomismeister (1589505) | more than 4 years ago | (#30874920)

Don't waste their time with this shameless advertisement.

My guess (2, Interesting)

JoshuaZ (1134087) | more than 4 years ago | (#30874872)

It looks to me like the lines of major activity likely corresponded to major news events or other events that caused people to look at the relevant government agency. Without more data it is difficult to speculate. It might be possible to look at the approximate date (Early September of 2009) and find a specific event that would cause this. Indeed, it might then be possible to actually make a guess as to what government agency the firewall belonged.

Re:My guess (2, Insightful)

sfcat (872532) | more than 4 years ago | (#30874922)

If that was the case, it you would see a more gradual decline in the traffic and not so regular usage across the board. Its looks like a bot net with significant infection in the countries with increased traffic after the first stripe. I'm sure something with more experience in this type of thing could tell us even more about it however...

My guess-Paint by Packet (0)

Anonymous Coward | more than 4 years ago | (#30874924)

What kind of packets would be nice?

Nice job, one question (0)

Anonymous Coward | more than 4 years ago | (#30874874)

Great concept and presentation. Point of clarification- you said you are counting inbound packets. Did you differentiate between blocked/dropped & passed traffic?

Temporal Discontinuity in Data (2, Insightful)

wufpak (204617) | more than 4 years ago | (#30874898)

Looking at the pop-up labels that show up when you mouse-over the data, there seems to be a huge temporal discontinuity in your data set: right at the first vertical stripe, the displayed date/time labels jump from 2009-09-17 to 2009-09-27. Maybe I'm just misreading the display, but a 10-day discontinuity would seem to account for the anomaly you describe.

It couldn't be that easy, could it?

Re:Temporal Discontinuity in Data (1)

Dachannien (617929) | more than 4 years ago | (#30875124)

It might account for the first vertical stripe directly (ten days' worth of minimal packet data accumulated into one data point), but then you would expect the data from the busy countries to then be ten times as high for that one data point.

But what it does indicate is that there are ten days of missing data that most likely show the start of this behavior and could provide further insight.

I wonder whether this data was inadvertently left out by the submitter, inexplicably dropped by the third-party processing company, or intentionally deleted from the server logs by some outside party who gained access to the box.

Re:Temporal Discontinuity in Data (1)

Dachannien (617929) | more than 4 years ago | (#30875142)

Er... sorry, the x axis goes by hours mostly, so it would be 240 times as high rather than 10.

Obviousness? (0)

Anonymous Coward | more than 4 years ago | (#30874914)

Could the incoming packets be the result of something sinister... like responses to requests originating from systems inside the unspecified government office? And when did the first stripe occur, say, 0600 Monday local time? Honestly, the poster's question fails to address the most obvious questions. Nice advertisement for Quova and Green Phosphor, though. Maybe that was the *real* point?
   

Re:Obviousness? (1)

zippthorne (748122) | more than 4 years ago | (#30875098)

Not really. It makes green phosphor look like laggy shareware. Somthing with no effort spent on beautifying the interface and even less effort spent on cheating enough to make it visually smooth.

It made me think, "that's a really cool idea. If I had to do that kind of visualization (large dataset over two independent variables), I'd definitely be interested in something like that. But done well, instead."

What's going on? (0, Offtopic)

Blakey Rat (99501) | more than 4 years ago | (#30874928)

So I made the video of it and I'm asking the Slashdot community: What the heck is going on?

You badly need a new hobby.

Ad (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30874940)

it means that this is an ad for Quova and Green Phosphor's Glasshouse

"And its freaking crazy looking" (5, Insightful)

PCM2 (4486) | more than 4 years ago | (#30874944)

Am I the only one who found the five minutes of this video to be about as interesting as listening to a stoned person describe the cracks on the ceiling?

You designed the visualization, buddy. If it's "freaking crazy looking," rather than yielding any useful insight, then obviously you did not visualize it in a meaningful way. You failed, in other words.

But as an earlier poster noted, this is just a Slashvertisement for the visualization tool in question. No doubt it will be quite effective on the kind of people who talk as slowly as the guy in the video.

Re:"And its freaking crazy looking" (1)

garcia (6573) | more than 4 years ago | (#30875000)

You designed the visualization, buddy. If it's "freaking crazy looking," rather than yielding any useful insight, then obviously you did not visualize it in a meaningful way. You failed, in other words.

I don't know this guy or how he obtained the data he used to build the visualization but based on his question asking what is happening, it would appear that he doesn't understand the data that he analyzed visually. So, to respond to your point that it's his fault because he couldn't properly frame the data visually, well, I can't say it's really his fault. He doesn't seem familiar with the data and thus probably wouldn't be able to give anyone else something useful.

Re:"And its freaking crazy looking" (0, Troll)

Eightbitgnosis (1571875) | more than 4 years ago | (#30875108)

I read the author and learned a little about network usage patterns and how to look at them. I read your post and saw a lot of complaining. Point goes to the original author

Re:"And its freaking crazy looking" (5, Insightful)

Dr. Evil (3501) | more than 4 years ago | (#30875158)

I wouldn't be so quick to support the author. The voice on the youtube video sounds a lot like the voice on the youtube video featured on the front of the webpage for http://www.greenphosphor.com/ [greenphosphor.com] . If not him, look at the related videos, notice a pattern? Maybe one of the other voices talking about features of the product will sound familiar.

That wasn't complaining. THIS is complaining. (5, Insightful)

PCM2 (4486) | more than 4 years ago | (#30875278)

You want complaining? How about this: This visualization is terrible.

The video took five minutes to watch and most of it was him rolling over the bars in the 3-D chart so you can see what each of the lines means. If that's supposed to be a useful visual aid, I'll eat my hat. It's bad enough that you have to manually roll over every data element to figure out what it is; scrolling through the graph seemed dead slow. I hope that's not a limitation of the product itself.

Simple labels on the axes of the graph would have been nice. Far be it from anyone to try stick little flags next to the lines to represent different countries. Hell, just color-coding them in a totally arbitrary way would have made the graph easier to read.

BTW, a quick look at the Glasshouse site reveals all their output looks pretty much just like this demo. And there's no evidence that you can export one of their rudimentary 3-D graphs to "pretty it up" in a real 3-D app. Instead, their raison d'être appears to be allowing you to run around looking at these graphs... in Second Life.

I'm sorry, but if you're doing something like plotting fractals, for example, where visual similarity to patterns is the whole point, I can forgive you for coming to the conclusion that "it's crazy looking." If what you're doing is trying to provide a visual to aid in the interpretation of data, then the visual should -- y'know -- aid interpretation. A glance at this graph, on the other hand, reveals nothing; not even what it's supposed to represent.

In summary, Edward Tufte will be rolling in his grave when he dies from looking at this graphic.

Re:"And its freaking crazy looking" (0)

Anonymous Coward | more than 4 years ago | (#30875240)

rather than yielding any useful insight, then obviously you did not visualize it in a meaningful way. You failed, in other words.

Here's another example of another cyber security fail [youtube.com] .

The smell of fresh grass (0, Redundant)

noidentity (188756) | more than 4 years ago | (#30874972)

Hmmm, I don't know [knowledgesys.com] . As I sit here sipping my soda [pepsi.com] , the imagery [imagesystemsinc.com] reminds me [memotome.com] of various things. One thing comes to mind [google.com] , though.

Several factors contribute to this graphics ... (2, Interesting)

GNUALMAFUERTE (697061) | more than 4 years ago | (#30874994)

First, we would need to know what kind of traffic we are seeing. TCP/UDP? Web? DNS?

On the other hand, I think you have only partial logs, that would explain many of the blanks on your data. Some blanks are too geometric to be correct, you are probably missing a shitload of data.
You have to take into account that, and timezones. Timezones are the key to this. This is probably some public service that gets hit at regular intervals (root DNS server, webserver holding news/stock/climate or similar information, etc). Timezones would explain the pattern. We would need to check times for each country against a timezone table to see if they correlate.
I'm also pretty sure that if someone took the time to look at the most active countries, and the less active countries, and some groups in between, we would be able to probably determine what kind of traffic this was.

Some people mentioned botnets, and it's a big chance that they have a huge influence on this graphs, again, matching timezones against this graph would help us understand.

I don't know what kind of information does the submitter have on the logs, or how he got them, but if he could post at least a small sample, that would help a lot. /methinks that submitter has a lot to do with the tool he's using, and this is just another slashvertisement.

check the news for 27 Sept 2009 (0)

Anonymous Coward | more than 4 years ago | (#30875006)

e.g.
http://en.wikipedia.org/wiki/Portal:Current_events/2009_September_27

Iranian missile tests?
Afghanistan surge request?
German elections?
Ooh - probably the Venezuelan ban on Family Guy - that would surely stir up traffic....

It looks like (1)

kilodelta (843627) | more than 4 years ago | (#30875016)

Web robots. Just put a robots.txt file in your web directory and that pretty much shuts it down.

Also take into account that China, Russia, et al are +12 from us So that might explain some of it. In other words, they might be caching your site.

Umm (1)

DrugCheese (266151) | more than 4 years ago | (#30875032)

So why is he using State property for personal gain? My guess is his logs for his website were way too boring.

Shouldn't there be some agency in Florida who does not want their logs posted, even in cartoon format, in an internet video. I'm guessing this is probably either the Florida Dept. of Revenue or the Florida Dept. of Financial Services.

It just means (5, Interesting)

OeLeWaPpErKe (412765) | more than 4 years ago | (#30875042)

(this is a guess, obviously. Full netflow data would tell me more, but only way to be really sure would be a full packet trace)

This just shows that you're being scanned with random source IP adresses (that's why the vertical stripe lights up). It is essentially a check to see if part of the botnet has more firewall access than other parts, or if a loadbalancer directs stuff to different firewalls, or if you have additional BGP uplinks, some of which might not be quite as secure.

Then the real scan starts, which uses the information gained in the first phase to make sure it tests out all the firewalls the target network has. Especially in the case of backup bgp links, where traffic comes in on physically and administratively different lines (say 1 verizon, 1 at&t, if you've got money to burn, and most govt. idiots feel the need to burn money). If the company in addition to the multiple uplinks outsources firewalls to those ISPs (or "security", not knowing what they're buying and getting nothing more than a smug false sense of security), again this is done by too many govt. agencies, you are bound to find holes this way. This uses actual bandwidth, and cannot be done on some networks. So what you're seeing is a disproportionate amount of scanning traffic coming from countries with fast networks and few watchful netadmins (or netadmins that just don't care, in Turkey's case), and many unsecured computers (and dear God, Turks and Russians really do not see any need for virusscanners, but generally you'd see a few other countries in there too. Heh the Russians are probably worried that running a virusscanner will interfere with their development of new viruses)

The regular repeats of vertical lines are probably to rescan reachability information, in case something changed. BGP can be twitchy, especially with incompetent local admins (on the botnet side of the network I mean)

From the (low) speed of the attack you can further deduce that it was an advanced attack, meant to stay below rate limiters, and presumably meant to stay below the radar. And from the resources required to pull this off you can deduce that this was not a lone hacker. Perhaps an organization (these days, tracing source ip's for security attacks almost invariably yields an IP address in far inland China, which is not because the russians have stopped attacking networks, but the Chinese are putting quantity above quality it seems these days).

And frankly, if someone has this kind of patience, generally they will find at least something, even in a well maintained network. Best hope it was only some files left out in the "public" folder or ~username folders. It's a good bet they probed the network security in other ways too (esp. googling), with IP's that will tell you much more about where the attack is coming from (using many hops is possible, but results in very slow page loads. And we're all human)

Btw : looking up a net's country can be done quickly via dns, no need for external company, no need for any tax dollars :

[kimmy@t61 ~]$ host -t TXT 104.79.125.74.cc.iploc.org
104.79.125.74.cc.iploc.org descriptive text "US"

(don't forget to reverse the IP address : looking up 1.2.3.4 is done by host -t TXT 4.3.2.1.cc.iploc.org)

Re:It just means (1)

TooMuchToDo (882796) | more than 4 years ago | (#30875304)

Perhaps the same group China was using to pull data from Google? It would match with the criteria you outlined in your post (sophisticated attack, resources required, etc). Whomever is handling the LEO side of the Google investigation should get a copy of these logs.

bot net (1)

Jessta (666101) | more than 4 years ago | (#30875056)

My guess is that it's a bot net becoming active.
The countries with higher traffic during that period are countries that are widely known to have high bot net activity they are also more likely to have server bot net activity, which is why they don't stripe like the over countries.

The stripes are likely day/night where infected PCs are turned off when not in use.

classic Bot activity (0)

Anonymous Coward | more than 4 years ago | (#30875076)

Considering the countries involved and the pattern of propagation it seems obviously bots. Remember also they took every 40th packet so when he says a 100 pings he's talking 4,000 which is a lot of activity.

Are the numbers supposed to be multiplied by 40? (1)

hellop2 (1271166) | more than 4 years ago | (#30875080)

So 300p/hr = 12000p/hr?

If you don't know what your logs are... (0)

Anonymous Coward | more than 4 years ago | (#30875104)

Then maybe you have been promoted to the point of failure. Typical government hiring... look for the degree first and the intelligence to pound sand out of a boot second.

Distributed ssh attacks (1)

discordia666 (940470) | more than 4 years ago | (#30875114)

Over the past week I've had the following countries hitting my ssh:

  108 location: RO
  121 location: CZ
  122 location: HU
  133 location: AU
  142 location: HK
  143 location: MX
  145 location: BR
  151 location: TH
  152 location: CO
  158 location: IN
  183 location: MU
  184 location: NL
  191 location: ES
  205 location: ININ
  234 location: JP
  252 location: FR
  270 location: CA
  306 location: PL
  313 location: GB
  314 location: TW
  355 location: CNCN
  364 location: IT
  379 location: RU
  399 location: KR
  632 location: DE
1361 location: CN

what when where who? (1)

quantumpineal (1724214) | more than 4 years ago | (#30875120)

there's absolutely no context given at all here. and the fact that ips are coming from different countries could simply mean that proxies are being used in those countries. you say you work for the government?

Great ways to start a conversation (5, Funny)

Anonymous Coward | more than 4 years ago | (#30875140)

"I happened to have access to five days worth of firewall logs from a US state government agency..."

"While skimming through my grandmother's cookbook, I stumbled upon a recipe for processing yellowcake uranium..."

"In passing, a close personal friend mentioned to me that he would deploy ~30k troops to a Mideastern country, but he's worried that the local restaurantuers won't serve fresh babaganoush ..."

"While I was talking to a famous adult film star about my successful experiment with cold fusion..."

"I was fighting against an alien invasion of the Soviet Union the other day. Natalie Portman and I prepared a platoon of sharks with frickin' hotgrits cannons on their heads, but the unwelcome overlords kept jumping the sharks..."

I know what it is (0)

Anonymous Coward | more than 4 years ago | (#30875152)

An ad. Same voice on this video as on the demo for the software company who made the 3D charting. 3D charting, whoop-de-fucking-do.

Time zones and day of week (0)

Anonymous Coward | more than 4 years ago | (#30875164)

Group countries by timezone they appear in. You may see spikes correlated to zone. Also think about the day of week. Not everybody has the same days or any days off.

Uh, that's PETER GIBBONS! (1)

adosch (1397357) | more than 4 years ago | (#30875176)

If that's not the voice of Peter Gibbons from Office Space [wikipedia.org] , then slap me silly!

"...Well, I generally come in at least fifteen minutes late, ah, I use the side door - that way Lumbergh can't see me - and, uh, after that I just sorta space out for about an hour and visualized activity by hour and country. I... took a bunch of the IP's from the logs, sent them to a company called Initech; Initech took every... (sent millions of them) Initech took every 40th one and sent them to Lumberg's house."

Re:Uh, that's PETER GIBBONS! (1)

spydum (828400) | more than 4 years ago | (#30875300)

Were you watching E! ? Office Space just ended, and I was thinking the same thing!

CrazyFireWallActivityGenerator.c (1)

mysidia (191772) | more than 4 years ago | (#30875216)

GenerateCrazyFirewallActivity( struct in_addr dest[NUM_TARGETS], int hour, int minute ) {
int i,SpoofPackets[NUM_COUNTRIES][HOURS_OF_THE_DAY]
= { { 10, 17} , .... } ;
for(j=0;j<NUM_TARGETS;j++) for(i=0;i<NUM_COUNTRIES) { count=SpoofPackets[j][hour] * random_fraction() + (confuse_the_hell_out_of_them ? 100 : 0); SpoofPacketsTo(dest[i],count) }
}

Bot-Net attack (1)

MasterOfGoingFaster (922862) | more than 4 years ago | (#30875244)

I'd guess you are seeing a bot-net attack. The bot-net army would have the greatest numbers in IT-heavy countries (US, India, China). The command structure would cause them all to attack at (roughly) the same time, regardless of time zone.

Or maybe you've been slashdotted.

Privacy concerns - how did you get the data? (1)

SuperKendall (25149) | more than 4 years ago | (#30875264)

Is no-one else bothered by the fact he has access to raw logs from a government system? Are there no privacy concerns from a private citizen being allowed to scan for users of government system? For instance, let's imagine it's the local IRS server - he now knows exactly what forms you were downloading, or perhaps visitors to a government site to help people find providers of mental health care. Really I don't care what the site was, it just seems like there's no valid reason for anyone to have raw data rather than aggregated data outside that department.

Re:Privacy concerns - how did you get the data? (1)

cbreak (1575875) | more than 4 years ago | (#30875350)

That was the first thing I thought of.

It seems quite stupid to give some random, untrustworthy company access to the IP address data of visitors of a government network. That probably violated a few privacy laws.

And the only result is some boring, low resolution pseudo 3D graph? What a waste.

Naughty Country IP list (1)

EmperorOfCanada (1332175) | more than 4 years ago | (#30875274)

Where can one get a list of IP addresses for countries like China and India so that server admins like myself can block these countries entirely?

Re:Naughty Country IP list (1)

cbreak (1575875) | more than 4 years ago | (#30875372)

Why would you want to do that? You don't expect evil people to use botnet nodes in every country?

It's the people avoiding patterns to fear. (1)

955301 (209856) | more than 4 years ago | (#30875312)

This just doesn't seem like a big deal. The countries he points out are all in the same timezones so it's probably just their normal day starting. So this probably correlates to dns refresh or some other aspect (vertical) of general internet operations landing on the same hour.

He needs tcp port analysis and to compare days - the pattern is probably the same from day to day.

What I'm wondering.... (0)

Anonymous Coward | more than 4 years ago | (#30875318)

...is when the FBI kicks his doors in for posting about firewall info from a US government org on slashdot, with videos on youtube.

Timezones? (1)

magamiako1 (1026318) | more than 4 years ago | (#30875334)

Nothing really "interesting". What you notice is that around 9:00PM a bunch of East Asian countries start to show some spiked traffic. My guess is botnets on computers that are being turned on during the day generating a lot of traffic data. Or just computers coming on in general, for anything. There's no context as to what data they were requesting, it could have been simple search hits or image hits, or link hits in google or whatever else. But what it shows to me is nothing more than "hey look, the eastern half of the world wakes up when it's evening time in the US."

What a let down (1)

Aoet_325 (1396661) | more than 4 years ago | (#30875346)

I normally I'd love this sort of thing. I pour over logs in my spare time - for kicks even, but this video just bored me. For nearly half the video this thing never goes beyond "look! people in different countries are active at different times!".

Even the few things that almost start to seem interesting leave you unable to gain any insight because there is just no information. There isn't any useful data to work with.

What this fails to provide us with is what kind of traffic this was in the first place. Any reasonably large site is going to get hit with all kinds of background noise, and so the fact that they found themselves with large amounts of "traffic" from 'nearly every country' doesn't surprise me.

This seems to be nothing more than an example of a very dull and uninformative way to display a large collection something very very common.

Data jumps? (1)

mother_reincarnated (1099781) | more than 4 years ago | (#30875354)

Maybe the fact that you put random chunks of data from days apart next to each other has something to do with it?

Who's site? (0)

Anonymous Coward | more than 4 years ago | (#30875378)

Well gee i wonder... You've got a US Federal Agency, and spikes at certain times of days and from certain nations... it couldn't possibly be botnet/network attacks?

Nice slasvertisement btw //sarcasm

hey, i have access to this amazing tech (1)

circletimessquare (444983) | more than 4 years ago | (#30875386)

for a powerful client, but i need, you, random slashdork, to help me out here

no, i'm not a salesman

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?