Ever wondered how many cyberattacks occur across the world every second? The non-profit Honeynet Project attempts to give you a sense of where and how frequently these cyberstrikes happen.
Honeynet has created a map of the world that plots the locations of cyberattacks as they hit in real time. But users going to map.honeycloud.net and using the visualization may want to take the pretty graphics with a grain of salt: There's a lot that makes the map a less-than-perfect illustration of global cybersecurity. (More on this in a moment.)
If you hop to map.honeycloud.net you'll see a map of the world. In the first second or so, a yellow "honeypot" will appear, representing a computer or bank of computers deliberately left vulnerable to security attacks for the purpose of catching or tracking such events. A few seconds later, red "strikes" will begin appearing on the map; this means that the honeypot is locating malware-generated cyberattacks around the world. What you're seeing are actual attacks, and you're seeing them in real time. As you watch, more honeypots and more strikes will appear.
Honeynet engineer Mark Schloesser explained to us via email how the visualization works and the details behind what it's telling us.
Most of the attacks shown on the map are all from one honeypot.
Specifically, the Aachen Germany one. In a fifteen minute period ending at 12 AM EST Saturday morning, there were just over a thousand attacks. 879 were on the Aachen honeypot, 60 were on a honeypot in Zagreb, Croatia, and the rest were on anonymous honeypots from around the world. Why is the Aachen server so popular? "The Aachen sensor has a lot of IP space assigned to it" Schloesser said, and "a sensor with lots of IPs gets targeted more often." Unfortunately, the Honeynet engineer admitted, "we don't do anything to get a more representative picture."
Despite its limited range, we're surprised by the number of attacks that appear on the map after only a few minutes. If hundreds of honeypots were included, we can only imagine how frightening it would look. As noted by PopSci, "if Aachen is the place they're monitoring the attacks best, how fast would a true world cyberattack map fill up? Probably quick."
In addition, certain attacks only hit specific honeypots.
For instance, the sixty attacks that hit the Croatian honeypot were all from one of two locations: Caracas, Venezuela, or Milan, in Tennessee. The Aachen honeypot was never attacked by either of these locations, showing that the Honeynet's Alpha-stage map most likely does not provide an accurate picture of cyber-attack patterns around the globe.
The map also doesn't tell you where the malware originates.
Again, from Schloesser:
"The attacks shown [on the map] are in no form associated with nations…The attacking systems are regular users who are infected with malware. The common purpose is to spread and infect more machines."
So, in other words, while the map might theoretically give us some idea of where the nations with the most malware-infected computers are, we still can't tell, from this map, where the malware really "originates" -- i.e. what nation or entity is making the malware, or even where it's being made.
Honeynet admits that the map needs a lot more work before it's actually an accurate visualization.
"[Right now], dots actually can represent several systems and also several attacks. We probably should add some visual notion of this" says engineer Schloesser. He also says that right now, the visualization is still missing a connection from malware-source to malware-destination: "When there is a lot going on it is hard to see which dots blink at the same time."
Schloesser also says that currently, not every cyberattack to the honeypots is tracked by the map, and not everything tracked on the map is necessarily a cyberattack. "The red dots are indeed random computers and they are in most (probably all) cases infected with a computer worm" explains the engineer. "However we actually are showing other types of attacks as well which might only be scans for vulnerabilities."
[hat tip The Atlantic Wire]