Crazy Firewall Log Activity — What Does It Mean?

arkowitz writes "I happened to have access to five days worth of firewall logs from a US state government agency. I wrote a parser to grab unique IPs out, and sent several million of them to a company called Quova, who gave me back full location info on every 40th one. I then used Green Phosphor's Glasshouse visualization tool to have a look at the count of inbound packets, grouped by country of origin and hour. And it's freaking crazy looking. So I made the video of it and I'm asking the Slashdot community: What the heck is going on?"

Re:Skylab Shreds

[KshGoddess]

That's what I thought it was for. Srsly, they're your firewall logs. You should have some clue where inbound traffic is coming from and why. If you've got a webserver serving some sort of information that changes, this could be rss readers hitting your site. Or it could be pings of death being dropped by your firewall. It could be web surfers getting to work and hitting you up for information, or browsers grabbing some active information on your site. It could be googlebots. It could be slashdot hits for all I know. These are just theories, because this isn't my firewall or my traffic.

Another Slashdot Ad?

[Frogking]

Wait, is this just an advertisement for Glasshouse? The voice in the video on Green Phosphor's website is exactly the same.

What gives?

Interesting.

[Dartz-IRL]

It's pretty interesting. You can see the countries with the largest botnets in the log... which also seems to suggest that a large majority of the packets are coming from the one botnet... since a good number of them kick in at the same time.

It also looks cool. Which is critical.

Filter your data...

[Itninja]

Is this guy filtering out backscatter like DNS replication and time updates? If it's from a State agency it's entirely possible that are running a root DNS server on-site (I work st a State agency and we are). Also, what timezone is he in? Knowing that might help explain the spike at 21:00. Is that GMT? Need input!

Why am I worried?

[Anonymous Coward]

So you have access to these firewalls but you don't know how to go about diagnosing the problem aside from an Ask Slashdot? Am I the only one who's a little baffled by this?

Mystery? What mystery?

[Anonymous Coward]

Were you unaware that botnets spanned the globe, or that certain countries have a higher incidence of compromised systems? If you don't understand those things, maybe you should get someone else to manage your firewalls?

Temporal Discontinuity in Data

[wufpak]

Looking at the pop-up labels that show up when you mouse-over the data, there seems to be a huge temporal discontinuity in your data set: right at the first vertical stripe, the displayed date/time labels jump from 2009-09-17 to 2009-09-27. Maybe I'm just misreading the display, but a 10-day discontinuity would seem to account for the anomaly you describe.

It couldn't be that easy, could it?

Re:My guess

[sfcat]

If that was the case, it you would see a more gradual decline in the traffic and not so regular usage across the board. Its looks like a bot net with significant infection in the countries with increased traffic after the first stripe. I'm sure something with more experience in this type of thing could tell us even more about it however...

Re:vertical stripes

[jra]

Yeah, I meant to say that it's also difficult to tell what's going on because you conflated all destination protocols and ports together.

Re:Skylab Shreds

[bakes]

Yes, he knows the firewall and the traffic. The question is - why is there suddenly traffic suddenly appearing from every country in the world at the same time? and again a number of hours later? And again 5 or 6 times? Suddenly there is inbound packets from every country in the world, for an hour or two, then it dies off. For some countries, the first 'stripe' is also the start of consistently higher traffic from that country. Does this mean anything?

I think it might be more useful to know the actual dates, and see if this corresponds with any spikes in spam or virus activity. What would be most useful would be know the dest port number of the inbound traffic, that could give us much better clues as to the reasons behind the patterns.

Ad

[Anonymous Coward]

it means that this is an ad for Quova and Green Phosphor's Glasshouse

"And its freaking crazy looking"

[PCM2]

Am I the only one who found the five minutes of this video to be about as interesting as listening to a stoned person describe the cracks on the ceiling?

You designed the visualization, buddy. If it's "freaking crazy looking," rather than yielding any useful insight, then obviously you did not visualize it in a meaningful way. You failed, in other words.

But as an earlier poster noted, this is just a Slashvertisement for the visualization tool in question. No doubt it will be quite effective on the kind of people who talk as slowly as the guy in the video.

Re:Why am I worried?

[Anonymous Coward]

You're right, this story doesn't add up. It could be that this data has all been faked, just to advertise for the linked-to companies and products.

Re:Skylab Shreds

[rednip]

You're trying imagine shapes in clouds, there is no context. Video conference call, maybe? Also, could be synchronization, or backups. Spooky garbage for the tin foil hat crowd, I hear theres a good business in it these days. It's an ad for a 3D graphing service.

Re:vertical stripes

[Anonymous Coward]

quite likely the server in question is sending floods of stuff out into the world and the vertical stripes are the responses... which quickly die off as the target machines loose interest

the horizontal lines are probably botnets who, now that they've seen the 'announce' that the vertical lines represent, are interested and are picking away looking for a way in

Re:"And its freaking crazy looking"

[Dr. Evil]

I wouldn't be so quick to support the author. The voice on the youtube video sounds a lot like the voice on the youtube video featured on the front of the webpage for http://www.greenphosphor.com/ [greenphosphor.com]. If not him, look at the related videos, notice a pattern? Maybe one of the other voices talking about features of the product will sound familiar.

Comment removed

[account_deleted]

Comment removed based on user account deletion

That wasn't complaining. THIS is complaining.

[PCM2]

You want complaining? How about this: This visualization is terrible.

The video took five minutes to watch and most of it was him rolling over the bars in the 3-D chart so you can see what each of the lines means. If that's supposed to be a useful visual aid, I'll eat my hat. It's bad enough that you have to manually roll over every data element to figure out what it is; scrolling through the graph seemed dead slow. I hope that's not a limitation of the product itself.

Simple labels on the axes of the graph would have been nice. Far be it from anyone to try stick little flags next to the lines to represent different countries. Hell, just color-coding them in a totally arbitrary way would have made the graph easier to read.

BTW, a quick look at the Glasshouse site reveals all their output looks pretty much just like this demo. And there's no evidence that you can export one of their rudimentary 3-D graphs to "pretty it up" in a real 3-D app. Instead, their raison d'être appears to be allowing you to run around looking at these graphs... in Second Life.

I'm sorry, but if you're doing something like plotting fractals, for example, where visual similarity to patterns is the whole point, I can forgive you for coming to the conclusion that "it's crazy looking." If what you're doing is trying to provide a visual to aid in the interpretation of data, then the visual should -- y'know -- aid interpretation. A glance at this graph, on the other hand, reveals nothing; not even what it's supposed to represent.

In summary, Edward Tufte will be rolling in his grave when he dies from looking at this graphic.

Re:I'm confused

[pipatron]

I don't even know why they Quova crap is mentioned since you can look up the country for *each* your IP locally using GeoIP.

Re:Skylab Shreds

[pipatron]

It's an ad for a 3D graphing service.

Indeed, the guy from the graphing service is the same guy who made this.

Looks like a sneaky ad to me.

[Jane Q. Public]

I see no reason whatever that it would be necessary to use either Quova or Green Phosphor. Any competent programmer could have sampled the data, used whois to get location, and then used about 1000 different programs to visualize the data just as well. (Like Crystal Reports or Seagate.)

The fact that OP did neither, and is involved at a high level with one of the two companies, makes this whole post suspicious.

My best guess is that OP thought he had discovered a way to freely advertise via Slashdot, and victimized us as a result.

I get enough Spam. I don't need to see even more, on Slashdot. Can this user be blocked?

Re:Skylab Shreds

[MojoRilla]

Uh...a bot net?

That would explain most of it.

Re:Skylab Shreds

[Mal-2]

Also is he plotting this based on potentially spoofed IP addresses? I'm thinking not just a botnet, but a botnet that doesn't care if it's getting packets back or not. It may not be every country in the world, just a bunch of random IPs coming from zombies which may (or may not) be in far-flung places.

Mal-2

Re:Skylab Shreds

[Anonymous Coward]

It's elementary my dear Watson. P2P. Someone's firing up Bittorrent (hence, every country in the world with long streams to those actually grabbing data).

Hey mods! Don't mod arkowitz "Troll"

[PCM2]

This is the guy whose product we're talking about. He wants to explain himself. If you think he tried to use Slashdot to advertise his product, you don't have to mod him up, but if you mod him down to -1 then he'll drop below a lot of people's thresholds and they won't even see that he tried to participate. That's not being fair.

Re:Looks like a sneaky ad to me.

[flydpnkrtn]

I know it's trollish, but the real question is: can kdawson be blocked?

(yes I know you can block authors in your user prefs... I mean from Slashdot entirely.... save us the pain, please, for the love of god)

Re:Looks like BitTorrent.

[dweller_below]

Then, I would say somebody with a large botnet is doing reconnissance on you.

I'm sure you have incoming port 137 blocked. So that traffic is outgoing. I expect that will be your Windows hosts responding to their probes.

They are probably attempting to find your end-hosts and your switching infrastructure.

Your clients shouldn't respond to the probes. If they are, make them stop. Your servers probably have to respond. If you have not already, you should make very sure that your switching infrastructure can't bleed packets to the outside world. Yah, I know, people tell you to send out 'fragmentation needed' but, you might have to chose between big packets and survival. Be nice if you only need to bleed 'Fragmentation needed' to a few specific external hosts and could discard it (and everything else from your switching infrastructure.)

One way you can you can mess with their heads (assuming they care about your switching infrastructure) is to modifying your border to discard any packet with a low hop-count. The apparent radius of the internet is currently a little over 16 hops. Nothing legit (except traceroute) generates packets with less than a 32 TTL. So, you can arbitrarily discard any packet at your border with a TTL of 8 to 12.

It messes up your ability to trouble-shoot your network from the outside using traceroute but if the choice is that or survival...

I've never been mapped by anything that big. We would see it in our darknet (non-allocated IP) sensors. Lucky you. Brace for impact..

I expect they will get to my institution eventually.

We've seen an explosion in hacker activity in the last week. All kinds of crap. The most unsettling is a series of compromises that carefully scan a locally attached /24 for 139, 445, 3389, 5900 8080, 40080. C&C appears to be innoculous accesses to local Akamai hosts. Almost impossible to spot.

Thanks for the heads-up.

Miles

Re:Skylab Shreds

[Anachragnome]

Bingo. My thoughts exactly.

Unless his gives up some more data, hard to tell for sure.

But, I agree, it sounds like someone is using their employer's (government)bandwidth to torrent. Could be a machine that someone shuts off the monitor on but P2P downloads overnight with a scheduled P2P app.

The peaks/valleys might be explained by reset packets introduced by the ISP temporarily killing the outbound requests and it takes the inbound requests awhile to trickle off.

You can see this same type of log traffic by simply starting a torrent, waiting a little bit, then stopping the P2P client, waiting awhile again, then restarting it. Rinse, repeat and you will see something that looks awfully close to what you have.

Reset packets essentially create the same traffic pattern, but for a different reason (ISP- introduced traffic "shaping").

Re:Another Slashdot Ad?

[VoltageX]

The correct response to spam like this is to start and develop a Sourceforge project that contains most, if not all of Glasshouse's features.

Re:Skylab Shreds

[Tamran]

I would wager that if he was to look at outbound traffic at the same time as the inbound "stripes" he would indeed find a correlation. For example, if you ping some IP address it should send you back a packet of data. Perhaps those strips aren't so representative of everyone else all of a sudden looking at the site but the site looking at everyone else and getting some kind of answer back?

I'm no sys-admin, but it's a logical hypothesis.

Tamran

Re:Skylab Shreds

[bakes]

Piss-poor ad though. How many people saw the video and thought "I must get me some of this graphing tool!"? My first thought was "interesting way of presenting information, but his graphing tool is crap".

Re:Skylab Shreds

[ceoyoyo]

My first thought was "why does everybody have to make everything a video?"