The Honeynet Project

Shown below is a visual of a time series analysis representing malicious activity reported by our 6 most active and reliable SensorNET honeypots. These honeypots have been deployed for between 9 months and 2 years in the Australian IP space. our honeypots are designed to detect malicious network activity in a passive and safe manner, you can read more about the background of our SensorNET here.

CLICK to enlarge.

Each one of these blue dots represents a group of other people's compromised computers attempting to compromise our honeypots in an effort to get it to join a botnet. All of this happens in the background, and does not require any action by the owner of the computer, or even for them to be sitting at the compromised computer.
Some of these attacks come from computers in Australia, and many come from other countries as well. We have done some visual analysis on the location of these attackers in past blogs using geographric heatmaps here and with a tool called Circos here.

While there are a lot of factors involved in malicious activity on the internet. I tried to keep it simple, and this visual does a reasonable job of helping us understand when malicious network activity peaks.

Relatively little activity is seen in the early hours between 3am and 7am. Then we see a substantial, and consistent uptick in activity on every day between 8am and 9am. This may be caused by people turning on infected PC's, which then go and scan for new victims at this time. Throughout the day, activity generally increases, peaking around the middle of the night. The old adage 'beware the midnight hour' seems to be applicable even on the internet (Hence the spooky green bar graph, just for fun).

From our results, it appears just after midnight on Friday and Thursday nights would probably be the most dangerous time for an unattended, insecure computer to be on the Australian internet. Of course there is actually no 'safe' time for such a computer to exist on the Internet, but it is interesting to do this analysis.

Each one of these attacks is preventable by using a proper firewall, good practice, antivirus, and security patches. To avoid contributing to the blue dots on this visual, read AusCERT's advice here on how to best to protect your computers.

Helping to understand our cyber threat environment so that decisions on mitigations/controls are better informed is really one of our key goals, particularly as plans are under-way for the roll-out of the $43 billion Australian National Broadband Network, which will clearly need to consider cyber security as a major stakeholder.

If you have a similar dataset that you are interested in studying in this manner, send me an email at ben@honeynet.org.au

In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.

So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.

Without further ado, here is a video of about a week's worth of SPAM on the planet Earth:

When zooming in on Europe, notice the 'Blue Banana', which is a discontinuous corridor of urbanisation in Western Europe is once again evident, as it was with the European heatmap. From North West England to Milan, 90 million people live in this corridor, and evidently a fair few of them have computers that send us SPAM. They call it a banana because of it's curvature but I've no idea why its blue.

We were hoping to see a 'follow the sun' aspect emerge, thinking that as people turn their computers off and go to bed, less spam will come from infected hosts in that timezone. This sounds reasonable, but it really only shows up to a fairly small degree in the video. It seems people don't turn infected hosts off at night. SPAM it seems, is 24x7.

We've also done the same technique for the location of network borne malware (worms) seen by our Australian SensorNET, in fact dataset with an IP and a timestamp - we can create a video of now. Feel free to contact us if you have an interesting dataset.
I used a product called 'logster' to do these videos, it is designed to read weblog files so that you can get an idea of who and when people visited your website. However you can use any dataset with an IP and timetamp, and parse it to make it look like an apache weblog file easily enough. This is what we (Thanks DavidZ) did with our nepenthes and SPAM data sets. Logster is another good analysis tool to have in the kit.

If you have a SPAM feed you would like to provide to the project, please email us at contact@honeynet.org.au