Crazy Firewall Log Activity — What Does It Mean? 344
arkowitz writes "I happened to have access to five days worth of firewall logs from a US state government agency. I wrote a parser to grab unique IPs out, and sent several million of them to a company called Quova, who gave me back full location info on every 40th one. I then used Green Phosphor's Glasshouse visualization tool to have a look at the count of inbound packets, grouped by country of origin and hour. And it's freaking crazy looking. So I made the video of it and I'm asking the Slashdot community: What the heck is going on?"
Re:vertical stripes (Score:5, Informative)
It looks like an active attack probably from one source with a number of controlled bots helping out.
The packets from every country at once are probably spoofs sender IP addresses from one or more sources (probably the spike countries).
The spiked country traffic are probably the controlled bots attacking the host actively.
Without seeing the actual packet data it's just a guess though.
Re:Another Slashdot Ad? (Score:5, Informative)
Wait, is this just an advertisement for Glasshouse? The voice in the video on Green Phosphor's website is exactly the same.
It is totally the same guy - the background noise sounds identical too - like he recorded it on the same microphone with the same environmental conditions.
Hell, he even starts each narration exactly the same with the pattern of, "Hi <name> here."
Re:Another Slashdot Ad? (Score:5, Informative)
Welcome to the future of advertising.
Mod parent up (Score:1, Informative)
Exactly. This guy is advertising his own not-very-creative service.
Sure - he just happens to have access to the US State Deapartment logs, but isn't smart enough to look at the packets?
Astroturf.
Re:That wasn't complaining. THIS is complaining. (Score:1, Informative)
I should not have called this graph "crazy looking". It is actually pretty simple and makes it quite clear what is going on, as you can see from the comments submitted by people talking about botnets.
Finally, I am not interested in producing graphs which show you everything "at a glance". Use a pie chart for that. I am making graphs which facilitate a deeper understanding of larger amounts of data than Tufte dreamed of showing using his 2D paradigms.
Re:Skylab Shreds (Score:2, Informative)
Computers are used by people. People who wake up, work, play, sleep, have weekends, business holidays, religious holidays, events and a pantheon of other reasons why they might act in seeming semi-concert.
You're suggesting that for the five day period in question, the majority of people work up at the same time GMT? Not 7am local time, but 9pm GMT everywhere in the world? Or did you just not actually look at the video (which shows spikes of data from every country in the world at the same time)? "Timezone effects" should eliminate these sorts of lines, not cause them, by spreading that kind of activity out over 24 hours.
Re:I'm confused (Score:4, Informative)
How does /usr/share/GeoIP/GeoIP.dat ban my IP address?
Re:I'm confused (Score:5, Informative)
Eh what? There's several GeoIP databases that you can install locally. In fact it seems like Quova is the only database you have to query remotely, which is somewhat crazy if you ask me. Or buy a server from them.
MaxMind [maxmind.com] is the best known one. Installing it on Linux server using yum merely takes "yum install GeoIP*"
Re:Another Slashdot Ad? (Score:4, Informative)
To be fair though, he didn't link to the companies in submission [slashdot.org], only the video and merely mentioned what he used. I guess kdawson added the links. While certainly promoting their own software, the bitching about it has been taken to quite irrelevant levels in this story. Instead of bitching about that, we could had have much more interesting discussion about what it actually is or did anyone else see such spikes on the same days. Personally I think it might be some botnet scanning either for exploits or to find each other (this might be extremely relevant if some botnet was taken down on the same day and P2P scanning to find other nodes kicked in). Port numbers and a little more info would had been helpful, though.
Re:Skylab Shreds (Score:5, Informative)