In this section data recorded by "The Honeynet Reasarch Alliance" are presented on earth's map. The coordinates for every ip address are estimated using the NetGeo package.
Be advised that the points of the map do not always point to the physical location of an attacker. They could be better interpreted as "location of suspicious ip addresses", which means places of weak cyber security, physical location of attackers or organizations that probe the network for several studies and measurements.
In contrast with other projects which display similar maps, the ones from the Honeynet Project have the advantage to be based on very valuable data, with very few false positives or negatives. The locations plotted on the following maps correspond to ip addresss that have been logged by a honeynet's firewall. In addition the Honeynet project logs all trafic that enters a honeynet in a binary log file, which can be used for offline analysis.
Worms like Code Red and Nimda probe for web server in a nearly random manner. Such addresses could be condidered as noise when looking for the location of a real attacker. That's why we provide two different kind of maps. The first set inclused probes in port 80 and can spot places where such worms are still a main problem. The second set however is more realistic if you are interested in places that can be related with real attackers.
The "Global View" of the Honeynet Research Alliance's data is a component of the Near Real Time Monitor (NRTM) project, currently being developed and comments will be appreciated.
|
With
port 80 (web) probes
|
Without
port 80 (web) probes
|
||
 |
Map with all recorded activity | |
Map with all recorded activity |
|
Map with last month's recorded activity | |
Map with last month's recorded activity |
|
Map with last week's recorded activity | |
Map with last week's recorded activity |
|
Map with last 5 days recorded activity | |
Map with last 5 days recorded activity |
|
Map with last day's recorded activity | |
Map with last day's recorded activity |
