HackerTrans
TopNewTrendsCommentsPastAskShowJobs

djkurlander

no profile record

Submissions

Seeing and Hearing Internet Background Radiation

knock-knock.net
3 points·by djkurlander·2 maanden geleden·1 comments

Show HN: Knock-Knock v2 – Visualizing bot attacks in multi-protocol Technicolor

v2.knock-knock.net
3 points·by djkurlander·3 maanden geleden·3 comments

Show HN: Knock-Knock.net – Visualizing the bots knocking on my server's door

knock-knock.net
224 points·by djkurlander·5 maanden geleden·95 comments

comments

djkurlander
·2 maanden geleden·discuss
OP here.

See the hidden world of bot attacks and scanner chatter. Listen to Internet Background Radiation on a virtual Geiger counter.

Here we are capturing Internet chatter across 8 protocols: (SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP), targeting 8 servers distributed throughout the world.

Check out the 3D spinning globe heatmap. Explore the most popular usernames and passwords across a variety of protocols. See the ISP Wall of Shame.

If the info is coming in too fast and furious, hit the pause button (or space bar if you have a keyboard).

We are using a framework for deploying and displaying honeypot activity: https://github.com/djkurlander/knock-knock. Honeypots transmit their data (in JSON format) to a monitor that stores the info in a SQL database and publishes the info to redis. The front end service (using uvicorn) gathers this info and serves it to browsers via web sockets.

For just the dashboard without the explanation, visit https://knock-knock.net

Over 3 million (bot interactions) served!
djkurlander
·3 maanden geleden·discuss
The goal is to educate people (originally my kids) about one particular aspect of cybersecurity. I love it when people use the site for this purpose.

Yep, with ~80 knocks coming in per second and two 3D globe visualizations, it does make a lot of use of the browser. That said, it runs smoothly even on an iPhone browser. The server scales really well (longtime load average of 0.05 on a $6.75/year VPS :-).

Thanks!
djkurlander
·3 maanden geleden·discuss
OP here. Check out the new https://knock-knock.net. v1 got 40,000+ visits from HN alone, hoping you'll find v2 worth checking out too.

Watch bots trying to break into my honeypots, gain access to my files, place expensive VOIP calls, attack my HTTP server, and relay SPAM email. The new knock-knock.net shows you SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP attacks in real-time: where they are coming from (check out the spinning globe heat-map!), the most common usernames and passwords, info on why some of those usernames and passwords are being used, the worst offending IPs, and of course the ISP wall of shame. View the stats for the protocols together, or filter by protocol. All presented in what I hope is a very cool UI.

The new knock-knock.net aggregates attack info from multiple servers around the world and presents the info in one place, hence you'll see attacks come in at a furious pace, and may want to use the pause button (or space bar). Turning on audio (the speaker icon) lets you hear what some have called the "background radiation of the internet" on a virtual geiger counter. This is intended to be a fun, educational site, not a serious cybersecurity tool.

A few random, interesting things:

1) The locations of the bots doing the various protocol attacks differ pretty dramatically. For example, Romania, Poland, and the Netherlands are currently big for SSH bots, India leads for SMB, China is tops for RDP, and France for SIP, but the US is #1 overall.

2) SMTP attempts are usually sentry emails. SMTP bots first try to send an email to themselves so they can tell the server is a working relay. Notice that nearly all of the emails include my IP address in the subject or body (it appears here redacted as <target-ip>) so they can tell the relay is operative.

3) The Internet has been blocked for nearly all of the citizens of Iran since the January protests. However, I found it surprising that attacks still originate from servers there.

4) RDP and SIP bots will connect to a server and spam it practically non-stop. I had to set up an autoban for these protocols at 2,000 knocks - much lower than the 10,000 knock ban set for the other protocols.

5) As of this posting, we're still waiting for knocks from several African countries. They tend to have fewer internet servers than the rest of the world. However, we did get knocks from Jersey (the island, not the state or cow), Nauru (~10K people), and Monaco (~2 km^2). Surprising that we're still waiting for EU member Slovenia!

6) We've even seen knocks from space! Well from ISP SpaceX/Starlink anyway. You would think this would be expensive, but bots are often replicated on machines they infect, and they aren't paying the bills.

7) The worst offending ISP is ironically named "Unmanaged Ltd." Interestingly, it was previously DigitalOcean, but shortly after v1 was posted to HN and r/digital_ocean, and user comments skewered that ISP, their bot attacks dropped over 99%! Coincidence? Maybe. Maybe not.

Works great on desktop or mobile — try it out and let me know what you think. Happy to answer questions and take suggestions.

For a tutorial, see https://knock-knock.net/summary.

To see the original v1 knock-knock.net (collecting data for 90 days), visit: https://v1.knock-knock.net.

If the aggregated v2 site is too fast for you, visit a single feeder server (e.g. https://la5.knock-knock.net).

The source lives at https://github.com/djkurlander/knock-knock.
djkurlander
·5 maanden geleden·discuss
Thanks. I'd like to better understand the origin of DO's bot activity, and look forward to your report!
djkurlander
·5 maanden geleden·discuss
It has been 24 hours since this post went up, so here are some fun stats.

During this time, there were 13,024 knocks on the server from 368 unique IPs. That's ~35 knocks per bot.

During this time, thanks to Hacker News, there were 23,556 visits to knock-knock.net by 15,946 humans. That's ~1.5 visits per human.

So in the last 24 hours, we actually had nearly twice the number of human visits than bot visits, and 368 bots put on a show for 16,000 humans!
djkurlander
·5 maanden geleden·discuss
Ah, that makes sense. I’ve been wondering why DigitalOcean has so much of the bot traffic.
djkurlander
·5 maanden geleden·discuss
Hadn’t considered it, but that’s a nice idea. All of the necessary info, with time stamps, is already recorded in a SQL database, so it wouldn’t be difficult to replay events.
djkurlander
·5 maanden geleden·discuss
Thanks for pointing that out. T-Pot is cool and a more general honeypot framework. Potentially I could have built knock-knock.net on top of T-Pot.
djkurlander
·5 maanden geleden·discuss
Fail2ban would cut down on the noise quite a bit. I’ve installed it on other servers and have recommended it to others. But then we wouldn’t have all of this beautiful bot traffic to visualize.
djkurlander
·5 maanden geleden·discuss
Though strong passwords or preferably ssh keys are important, there will always be servers with weak passwords.

And DO doesn’t have to side with individual abuse reporters. If they cared, they could spend a fraction of an hour setting up the knock-knock software on one of their own servers, and generate their own list of abusive IPs. They just don’t care.
djkurlander
·5 maanden geleden·discuss
No, knock-knock.net is not hosted on DigitalOcean, and all 4 of my other knock-knock servers, using different providers, and distributed geographically currently have DigitalOcean as the worst offending provider.
djkurlander
·5 maanden geleden·discuss
My understanding is that they are a more general purpose data collection, and visualization framework. Potentially you could build something like this with that software, but they do not have knock-knock.net’s functionality built in.
djkurlander
·5 maanden geleden·discuss
Exactly right. I just didn’t want the bad actors to know my own IPv4 address so that they might try to cause havoc or treat my site differently.
djkurlander
·5 maanden geleden·discuss
If the bot sees no login / password sequence, there’s no way for it to brute force credentials. If the server only takes ssh keys, that will cause an immediate disconnect. Which is why this setting is best practice when setting up a server when practical: PasswordAuthentication no.
djkurlander
·5 maanden geleden·discuss
Sadly? Intentionally! The IP is hiding behind Cloudflare mainly to make it much harder for the bots to figure it out. Blocking you from messing with the stats is just icing on the cake. :-)
djkurlander
·5 maanden geleden·discuss
I was aware of port knocking, but not the Mac malware scanner with the similar name. Good to know!
djkurlander
·5 maanden geleden·discuss
…but if it did accept a password it would be 12345.
djkurlander
·5 maanden geleden·discuss
Good observation. I am using a Cloudflare orange cloud proxy to hide the IP address. I’m also blocking direct access to my web server by IP addresses to make it that much more difficult to associate the IP address with my domain. Most people installing knock-knock probably won’t care, but I figured that this would be worthwhile for the “official” server. Instructions for setting this up are in the extras/ufw-cloudflare directory of the repo. Yes, there are other ways to track down the IP address, but they are a lot harder.

By the way, I noticed that the bots were guessing usernames like “knock-knock” before blocking direct IP access to the web site. Looking at the other passwords guessed, I realized they were extracting words from the title of the index.html! So it’s all about masking the server’s identity - I’m not really getting other benefits out of Cloudflare.
djkurlander
·5 maanden geleden·discuss
!!!

Good luck trying to log in via port 22. The real ssh port is located elsewhere and doesn't accept passwords. :-)
djkurlander
·5 maanden geleden·discuss
OK - thanks for the excellent suggestion. It's now implemented (just two SQL queries that will run as a cron job every night). You can grab the month and year offending ip blacklists this way.

wget https://knock-knock.net/static/ip-blocklist-month.txt

wget https://knock-knock.net/static/ip-blocklist-year.txt