/botmap

A map of the botnet attacking our server

Primary LanguageHTML

BotMap

A map of the 🤖net attacking our server

latest map

Premise

So my friends and I have been managing CentOS for the past couple of years in an effort to save money and have autonomy from private hosting services. After being port-forwarded, our most recent server quickly caught the attention of a scraper. Brute-force attacks soon followed, and su - reports like this were a daily occurance:

too many attacks

I implemented fail2ban ASAP (as everyone should), and before long the daily attacks began to diminish, flooring at ~10 a week. I concluded that this botnet must be astronomical, and I wanted to see just where these attacks were being distributed from.

Sean and I began to whip up a means to find this out.

Pythonic Approach

Our first model used MatPlotLib, a Python 2.x data plotting library, to create our map.

Pipng the list of banned IPs from fail2ban-client status sshd, we wrote a simple script to convert these IPv4 addresses to geolocation using the freegeoip API. This data was then parsed by mapdraw to populate a navigatible map.

first map

Then again with a month and a half worth of data and fresh coat of paint. . .

second map

HTML

Python is well and good for afternoon-sprint projects, but having to install huge dependencies on everyone's machine is a hastle. Better to move towards a Web stack.

third map

This employed a FrontEnd D3js library, DataMaps. Its cross-platform accessability, high resolution SVG map and plot labels(!!!) were significant improvements over the previous implementation. This also featured a cleaner, low-light color scheme.

Conclusion

Of the 1,430 different attack sites, the top two highest-concentrated cities were:

Buenos Aires

BA

Shanghai

CHI

Will continue to post more information as it comes.