See the hidden world of bot attacks and scanner chatter. Listen to Internet Background Radiation on a virtual Geiger counter.
Here we are capturing Internet chatter across 8 protocols: (SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP), targeting 8 servers distributed throughout the world.
Check out the 3D spinning globe heatmap. Explore the most popular usernames and passwords across a variety of protocols. See the ISP Wall of Shame.
If the info is coming in too fast and furious, hit the pause button (or space bar if you have a keyboard).
We are using a framework for deploying and displaying honeypot activity: https://github.com/djkurlander/knock-knock. Honeypots transmit their data (in JSON format) to a monitor that stores the info in a SQL database and publishes the info to redis. The front end service (using uvicorn) gathers this info and serves it to browsers via web sockets.
The goal is to educate people (originally my kids) about one particular aspect of cybersecurity. I love it when people use the site for this purpose.
Yep, with ~80 knocks coming in per second and two 3D globe visualizations, it does make a lot of use of the browser. That said, it runs smoothly even on an iPhone browser. The server scales really well (longtime load average of 0.05 on a $6.75/year VPS :-).
OP here. Check out the new https://knock-knock.net. v1 got 40,000+ visits from HN alone, hoping you'll find v2 worth checking out too.
Watch bots trying to break into my honeypots, gain access to my files, place expensive VOIP calls, attack my HTTP server, and relay SPAM email. The new knock-knock.net shows you SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP attacks in real-time: where they are coming from (check out the spinning globe heat-map!), the most common usernames and passwords, info on why some of those usernames and passwords are being used, the worst offending IPs, and of course the ISP wall of shame. View the stats for the protocols together, or filter by protocol. All presented in what I hope is a very cool UI.
The new knock-knock.net aggregates attack info from multiple servers around the world and presents the info in one place, hence you'll see attacks come in at a furious pace, and may want to use the pause button (or space bar). Turning on audio (the speaker icon) lets you hear what some have called the "background radiation of the internet" on a virtual geiger counter. This is intended to be a fun, educational site, not a serious cybersecurity tool.
A few random, interesting things:
1) The locations of the bots doing the various protocol attacks differ pretty dramatically. For example, Romania, Poland, and the Netherlands are currently big for SSH bots, India leads for SMB, China is tops for RDP, and France for SIP, but the US is #1 overall.
2) SMTP attempts are usually sentry emails. SMTP bots first try to send an email to themselves so they can tell the server is a working relay. Notice that nearly all of the emails include my IP address in the subject or body (it appears here redacted as <target-ip>) so they can tell the relay is operative.
3) The Internet has been blocked for nearly all of the citizens of Iran since the January protests. However, I found it surprising that attacks still originate from servers there.
4) RDP and SIP bots will connect to a server and spam it practically non-stop. I had to set up an autoban for these protocols at 2,000 knocks - much lower than the 10,000 knock ban set for the other protocols.
5) As of this posting, we're still waiting for knocks from several African countries. They tend to have fewer internet servers than the rest of the world. However, we did get knocks from Jersey (the island, not the state or cow), Nauru (~10K people), and Monaco (~2 km^2). Surprising that we're still waiting for EU member Slovenia!
6) We've even seen knocks from space! Well from ISP SpaceX/Starlink anyway. You would think this would be expensive, but bots are often replicated on machines they infect, and they aren't paying the bills.
7) The worst offending ISP is ironically named "Unmanaged Ltd." Interestingly, it was previously DigitalOcean, but shortly after v1 was posted to HN and r/digital_ocean, and user comments skewered that ISP, their bot attacks dropped over 99%! Coincidence? Maybe. Maybe not.
Works great on desktop or mobile — try it out and let me know what you think. Happy to answer questions and take suggestions.
Hadn’t considered it, but that’s a nice idea. All of the necessary info, with time stamps, is already recorded in a SQL database, so it wouldn’t be difficult to replay events.
Fail2ban would cut down on the noise quite a bit. I’ve installed it on other servers and have recommended it to others. But then we wouldn’t have all of this beautiful bot traffic to visualize.
Though strong passwords or preferably ssh keys are important, there will always be servers with weak passwords.
And DO doesn’t have to side with individual abuse reporters. If they cared, they could spend a fraction of an hour setting up the knock-knock software on one of their own servers, and generate their own list of abusive IPs. They just don’t care.
No, knock-knock.net is not hosted on DigitalOcean, and all 4 of my other knock-knock servers, using different providers, and distributed geographically currently have DigitalOcean as the worst offending provider.
My understanding is that they are a more general purpose data collection, and visualization framework. Potentially you could build something like this with that software, but they do not have knock-knock.net’s functionality built in.
If the bot sees no login / password sequence, there’s no way for it to brute force credentials. If the server only takes ssh keys, that will cause an immediate disconnect. Which is why this setting is best practice when setting up a server when practical: PasswordAuthentication no.
Sadly? Intentionally! The IP is hiding behind Cloudflare mainly to make it much harder for the bots to figure it out. Blocking you from messing with the stats is just icing on the cake. :-)
Good observation. I am using a
Cloudflare orange cloud proxy to hide the IP address. I’m also blocking direct access to my web server by IP addresses to make it that much more difficult to associate the IP address with my domain. Most people installing knock-knock probably won’t care, but I figured that this would be worthwhile for the “official” server. Instructions for setting this up are in the extras/ufw-cloudflare directory of the repo. Yes, there are other ways to track down the IP address, but they are a lot harder.
By the way, I noticed that the bots were guessing usernames like “knock-knock” before blocking direct IP access to the web site. Looking at the other passwords guessed, I realized they were extracting words from the title of the index.html! So it’s all about masking the server’s identity - I’m not really getting other benefits out of Cloudflare.
OK - thanks for the excellent suggestion. It's now implemented (just two SQL queries that will run as a cron job every night). You can grab the month and year offending ip blacklists this way.
See the hidden world of bot attacks and scanner chatter. Listen to Internet Background Radiation on a virtual Geiger counter.
Here we are capturing Internet chatter across 8 protocols: (SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP), targeting 8 servers distributed throughout the world.
Check out the 3D spinning globe heatmap. Explore the most popular usernames and passwords across a variety of protocols. See the ISP Wall of Shame.
If the info is coming in too fast and furious, hit the pause button (or space bar if you have a keyboard).
We are using a framework for deploying and displaying honeypot activity: https://github.com/djkurlander/knock-knock. Honeypots transmit their data (in JSON format) to a monitor that stores the info in a SQL database and publishes the info to redis. The front end service (using uvicorn) gathers this info and serves it to browsers via web sockets.
For just the dashboard without the explanation, visit https://knock-knock.net
Over 3 million (bot interactions) served!