Live attacks against the Norse honeypot infrastructure

The Google&#x2F;Arbor Digital Attack Map[1] provides a similar view based on data from 270+ ISPs around the world. Hovering over an attack shows details, and sliding the timeline indicator to dates in the past lets you view some very large attacks (&gt;400 Gb of attack traffic).<p>[1] <a href="http://www.digitalattackmap.com/" rel="nofollow">http:&#x2F;&#x2F;www.digitalattackmap.com&#x2F;</a>

Couldn&#x27;t find much information about that visualisation, so I have to wonder - what kind of traffic do they count? Is it only showing detected known&#x2F;assumed attacks? Or does it count all connections? (i.e. does it include scans, or not)<p>If it includes scans - I&#x27;m surprised how few there are. (that&#x27;s about as many as you&#x27;d get on 5 randomly created VMs) If it doesn&#x27;t - I&#x27;m surprised how many active attacks there are.

&quot;The Norse live attack map is a visualization of a tiny portion (&lt;1%) of the data processed by the Norse DarkMatter™ platform every day.&quot;<p><a href="http://www.norse-corp.com/" rel="nofollow">http:&#x2F;&#x2F;www.norse-corp.com&#x2F;</a>

Technical accuracy aside, it&#x27;s a great marketing tool. Nicely done.

Needs Missile Command sounds.<p>Of course the internet does not route in &quot;as the crow flies&quot; lines like this is showing. There is routing.

Does anyone know why so relativly many attacks come from the Netherlands? After running this for about 5 minutes it is the number one origin of attack at the moment.

where does it get data from?

There is fairly rampant infection of something which uses port 21230 for its activities. I use the port numbers and verify that my iptables aren&#x27;t passing any of them, which is generally useful. And it is interesting to see the ones being &quot;attacked&quot; (as in people trying to either open them or send data to them via UDP)

It looks like a modern version of War Games. But how does it determine the origins and attack targets in real time?

Could they effectively DoS the IPs on the blacklist[1] and still play good defense?<p>1. <a href="http://www.norse-corp.com/darklist.html" rel="nofollow">http:&#x2F;&#x2F;www.norse-corp.com&#x2F;darklist.html</a>

When I use firefox it says &#x27;too slow? try chrome&#x27; - it is much slower on firefox - is firefox that bad or is it just optimized for Chrome?

A list of attacker IPs (from, say, the last 7 days) to block in iptables would be a very popular item.

Wow. So many attacks. Running this site is going to DOS my phone.

Anyone know why 21320 is such a big target? Spybot S&amp;D?

is there nothing worth attacking in china or it&#x27;s simply that there aren&#x27;t many honeypots there?

it is like watching a War match where everyones goal is &quot;conquer california, or 24 territories&quot;

heh, someone in china just tried a masss SSH login to the US, looked like a shotgun blast.

I have no idea whats going on but its very exciting looking.