from Hacker News

Visualizing malicious IP addresses

by Bromeo on 4/25/24, 11:32 PM with 116 comments

• by reincoder on 4/26/24, 5:13 AM

  You can use IPinfo's IP map (https://ipinfo.io/tools/map) or IP summary tool (https://ipinfo.io/tools/summarize-ips).

  Both of these services support sending IP addresses via an API endpoint and can handle up to 500k IP addresses. You can also share the report via URL.

• by mianos on 4/26/24, 3:06 AM

  I always wondered how the IPs like this 180.101.88.232 from this block:

  ISP ChinaNet Jiangsu Province Network Domain Name chinatelecom.com.cn

  Continue to be the source of thousands of ssh password login attempts for years and years on end.

  It's not a big deal, I use a tarpit on all ssh with 2FA on the one I use, but it seems ridiculous that some participants of the internet don't give a shit about the rest of the world.

• by chriscjcj on 4/26/24, 4:40 AM

  It's been a couple decades since I adminned servers and firewalls. In my experience, in the early 2000's, Russian IPs were extremely common. I was surprised that OP didn't see even one. Can anyone conjecture on what might account for the apparent change?

• by channel_t on 4/26/24, 6:06 PM

  These kinds of experiments get even more interesting when you also pipe the IPs into Shodan and find out that a lot of the malicious login attempts are coming from pwned DVRs and other devices.

• by dfex on 4/26/24, 4:15 AM

  > Upon closer inspection of Asia, we can notice a significant number of addresses located in South Kora, (and possibly North Korea?), as well as in Taiwan.

  > I was surpised to see that the distribution of attacks is extremely uneven with most of it concentrated in parts of Asia, Europe, and the US, and (almost) none from South America, Middle East, and Russia.

  Aside from the casual stereotyping of bad actors here, the article completely neglects the fact that just because the attack is sourced from a certain IP/geolocation doesn't mean that the attacker resides in that location.

  What you most likely have is a listed of pwned PCs with fast internet connections being used in botnets.

• by midnight_shaman on 4/26/24, 7:06 AM

  I always install fail2ban on publicly exposed machines, especially if ssh is enabled. It won't block new malicious IPs but at least it will stop bruteforce attacks coming from each IP

• by mcoliver on 4/26/24, 3:05 AM

  Fun. You could also try putting the data into Google's data studio (now looker) to visualize them in an interactive map you can publish. Add things like size of dot corresponding to number of attempts, add reverse DNS/whois info to the info bubble, etc. Wonder how much came from residential vs business ip space.

  https://lookerstudio.google.com

• by ies7 on 4/26/24, 4:14 AM

  > Interesting! We can see the most locations in India, Indonesia, and China as well as a significant number in the US and Europe.

  Are these because the bad guys are in there or just because of the population size?

  China, India, US, and Indonesia are the top four of the most populous country and also 4 countries with most internet users.

  Even the size of 10% of Indonesian internet users are almost the entire Taiwan population.

• by ludovicianul on 4/26/24, 6:01 AM

  A few years ago I've built a more simple visualization similar to this one with the attacks on the host the application was already deployed: https://github.com/ludovicianul/geolog. China was mostly leading, but there were many from US and Europe.

• by micw on 4/26/24, 4:19 AM

  "Failed publickey" - does this make sense? What is the chance to brute-force a private key that way?

• by wiradikusuma on 4/26/24, 3:42 AM

  Holy moly! That explains why I frequently get captcha when using residential internet in Jakarta. I don't see those captcha when accessing from e.g. Kuala Lumpur or Singapore.

  Is the information in the article actionable? E.g. can I complain to someone with authority?

• by brazzy on 4/26/24, 10:40 AM

  As others have pointed out, the location of the IP address does not necessarily correspond with the location of the attackers.

  Specifically, in Germany, the central-ish culster of dots is in the Frankfurt area, which is also the location of DE-CIX, one of the world's largest internet exchange points, and of roughtly 1/3 of all datacenters in Germany.

  So I think rather than comparing the IP locations with population density, it would be even more interesting to compare them with the location of internet infrastructure. This is of course correlated, and probably harder to find as an open dataset.

• by keepamovin on 4/26/24, 4:23 AM

  This was cool. The makings of an adhoc DIY cyber intelligence dashboard.

  I guess the distribution could reflect places with lower income levels looking to get free compute? (for whatever purposes). A lot are coming out of places where relative cost of compute compared to income, may be too high, alternately there may not have access to accepted payment methods?

  For the servers coming from the US and developed East Asia it could be already cyber companies doing scanning to find clients, or already compromised servers?

• by unraveller on 4/26/24, 3:45 AM

  If you're lucky enough to have a big ISP with a single big block of IP addresses that never changes you can disallow all other ranges on your VPS admin ports and only have to worry about VPNing through that ISP.

  I guess you could block the main country offenders but you'd have to pay an API to keep up with the IP allocations to be sure.

• by tonymet on 4/26/24, 6:09 AM

  why is ssh open to the internet to begin with?

  ufw is the first thing I install, even on a "private" network and here's why.

  I recently installed a router with IPv4 and IPV6. I later found out that IPv6 was globally addressed with no firewall.

  Always run ufw and begin by shutting off everything to the internet, then only open up what you need.

• by spacecadet on 4/27/24, 2:04 AM

  I automate the hell out of packet capture, using the max ipinfo free tier each month... graph db... I cluster packets, organization dossier, and other collections of data as embeddings. Helps cut noise and identify anomalies faster.

• by voidUpdate on 4/26/24, 8:41 AM

  So this made me realise where I could find the SSH log file, and I spent a little while panicking at just how many attempts I've been getting on my webserver, and locking things down just a little harder out of paranoia

• by opentokix on 4/26/24, 7:35 AM

  This is literally built in, in most modern logging systems with visualization.

• by tetris11 on 4/26/24, 6:57 AM

  I'd recommend grepping "(Failed|Invalid)" to capture more IPs

• by 3abiton on 4/26/24, 9:25 AM

  I have been doing similar, albeit less complex analysis, of incoming malicious, and it's always surprising the amount of relentless attacks. Any good practices to maintain a secure online server?

• by mo_42 on 4/26/24, 4:12 AM

  It's not so hard to use Tor for that. I wonder how the Tor exit nodes are distributed across the globe and see how that correlates or not.

• by JSDevOps on 4/28/24, 9:40 PM

  Awesome content! Brilliant post. You could use maxmind and use the free files to get your data.

• by imp0cat on 4/26/24, 4:22 AM

  Wouldn't it be better and faster to use a local geoip database for the IP lookup instead of doing a network call for each?

• by wsintra2022 on 4/26/24, 2:31 AM

  Interesting, if it’s an issue you could try port knocking to prevent the constant attempts

• by ajsnigrutin on 4/26/24, 8:52 AM

  > Finding the location of each attacker.

  ...of the attacking IP address, not attacker...

  If I, living in a small EU country, wanted to "hack" my neighbour across the street, I sure as hell wouldn't use my home IP address, tied to my account at my ISP, which has my name and address.

  I'd probably try to find an "IP" (VM, vpn, or whatever) in a country that's not really friendly about giving "ip address data" to our authorities.

  On the other hand, I wouldn't use a chinese IP in china, if I lived there and wanted to hack my neighbour over there.