Geolocation by IP address provides a way to visualize Internet attack data collected at honeypots and other sensors. This method generates some interesting active graphics, but it’s not clear that you can really do much with it beyond marvel at the industry and persistence of attackers. Your supposed location and your actual location may vary widely with IP Geolocation depending on the data provider you use (e.g. Max Mind, Quova. IP2Location, freegeoip.net, and others).
Here are three well-known attack visualizers:
The Digital Attack Map provides a real time visualization of distributed denial of service (DDoS) attacks around the world. The map is produced using data from collectors operated by layer 3/4 filtering firm Arbor Networks, along with visualization programming by Google’s Idea group. Most the activity on the map is lower layer, however, such as DNS reflections and basic TCP attacks. You can see this by the color coding of the vectors; application layer attacks are shown n blue. While interesting and informative, there isn’t much you can actually do with this map beyond look at it and marvel at the industry and doggedness of attackers.
Have a look yourself: The Digital Attack Map
Norse Attack Map is similar to The Digital Attack Map, but has the added feature of scrolling by the source and destination ports and protocols in a very lively feed. A sorted list of attacker country-of-origin has the usual suspects.
Have a look yourself: Norse Attack Map
The HoneyMap is a consortium project aimed at generating visualizations based on attackers getting sucked into honeypots. This is useful, particularly if you are an attacker, as you may know where not to go. If you are bot herder, this may be less helpful. At the time of this writing, the HoneyMap seemed to be off-the-air. You can get the visualization library for your own data from GitHub at https://github.com/fw42/honeymap
Have a look yourself: The HoneyMap
