You see a map of the real-time network events sources targeting IP addresses located in Luxembourg. The majority of the network events targeting honeypots or black holes networks are usually malicious network scanning, malicious software (e.g. worms) or backscatter traffic coming from spoofed networks (like in Denial of service attack).
As the amount of events can be huge, the events are randomly sampled in order to provide a common view among all the clients connected and giving meaningful overview of the attack's sources.
This map is based on the work done by the Honeynet Project but the honeypot and blackhole feeds are collected and analyzed by CIRCL (Computer Incident Response Center Luxembourg) with the help of the partners hosting sensors in Luxembourg.
If you want participate and host a sensor in your network, you can contact CIRCL, Computer Incident Response Center Luxembourg.
The attacks are evolving over time (especially backscatter traffic or mis-configured systems) but these events are mainly opportunistic attacks. Some countries can be more represented due to various factors like their proportion of unpatched systems, the number of connected systems or the activities of some bulletproof ISP.
For the public, the map gives an overview of the origin of opportunistic attacks and how this is distributed among the world. The evolution of traffic shows also the tendency of malicious activities per country. As an example, this permits to understand the location of unpatched (compromised) systems among the Internet.
For the feed partners hosting a sensor, the information is not only geolocation but detailed information about the source IP addresses and the targeted protocols (like TCP or UDP) and the services (like HTTP or SSH). Feed partners can then use this collected information in order to check logs in their production security infrastructure in order to find these known opportunistic attacks and improve their security.
A sensor is located in an unused network space (from one IP address to multiple IP addresses) by a partner. The unused network space has no production network traffic and the traffic reaching such network space can be called background noise. This background noise contains malicious opportunistic attacks along with other traffic like backscatter traffic. The sensors are capturing those IP packets (IPv4 and IPv6) in order to analyse them. For the general public map, only the source IP is transformed in a geolocation in order to feed this map. The accuracy of the geolocation is subject to the MaxMind GeoIP accuracy.
CIRCL would like to thank all the partners hosting a CIRCL sensor in their premises:
