The Spinning Cube of Potential Doom 161
An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."
Re:Can anyone explain the data we're seeing? (Score:5, Informative)
1) Your IP range
2) The entire IP range
3) Destination port
It's useful for things like picking up semirandom port scans that you might not detect based on textual data (see "barber poles").
Entire para:
"The Cube takes this connection information stored in the Bro files and displays it in a graphical format which can be more readily understood by people who are unfamiliar with networking and computer security techniques. The 'X' axis of the display (shown in red) represented the SCinet address space, which ranged from 141.221.128.0 - 141.221.255.255. The 'Z' axis (shown in blue) represented all possible IP address space (0.0.0.0 - 223.255.255.255). Multicast traffic (224.0.0.0 and above) was not displayed. The 'Y' axis (shown in green) represented the port number number (0-65535). Some well known port numbers include 22 (ssh), 25 (smtp), 80 (http). "
Re:virtual ICE? (Score:4, Informative)
He also mentions that ordinary people got something a good deal more pedestrian, more like the Metaverse than Gibson's Matrix (or as we might say now, more like the Matrix than the funky green overlay Neo got
Re:check out the video! (Score:2, Informative)
Re:Remember! (Score:4, Informative)
Re:I wonder.... (Score:3, Informative)
Link is dead already (they yanked the file).
Re:Can anyone explain the data we're seeing? (Score:4, Informative)
We have a 3 dimensional cube shown on a 2 dimensional display, so the image can be a little confusing. Every dot represents a connection attempt to a machine at the conference, presumably mostly laptops being used by attendees. Successful connections are shown in "white" supposedly, but on my display they look gray. The colored dots are all unsuccessful connections, connection attempts where the machine did not respond. The presumption is that the vast majority of these are attacks and scans.
The left to right access represents the IP address of the machine at the confernece being attacked. Back to front is the IP address of the machine doing the attacking, from out on the internet. Bottom to top is the port number. To aid in viewing, the unsuccessful connections are shown in a color that represents the port, i.e. their height in the cube. That's all the color means. Red and orange are at the bottom for low numbered ports, then through yellow, green and blue in the middle ports, up to purple and back to red at the top for high number ports.
Now let's take a look at the picture. The main feature that jumps out is that most of the dots are colored; there are a lot more attacks than successful connections. Presumably these laptops are not hosting many legitimate servers. Second, we see that most of the dots are orange, meaning that they are attempts to connect on low numbered ports. That makes sense, as most services listen on standard low numbered ports of 1024 or less, or a bit more. That's why we see so many orange dots. Those are attempts to connect to web servers, mail servers, various Windows services that are known to be vulnerable, etc.
Another feature of the orange dots is that they are largely clustered towards the back, which would mean that the attacks are coming from Internet addresses which are relatively low in the address range. Looking closely, I make it out to be about 1/4 of the way from the back to the front, which would correspond to IP addresses of around 64.X.X.X. If we look at the first field of IPV4 addresses, ARIN (North America) has 24, then 63-70; APNIC (Asia/Pacific) has 60-61; RIPE (Europe) has 62, then 80-84, and all of them go on up from there. I'm not sure of the worldwide distribution of IP addresses but I suspect that accounts for the fact that many of the attacks and scans are coming from the 60-80 range or so, on the graph. There's another cluster of IPV4 address assignments in the 198-222 range, and that corresponds to a weak cluster of orange dots near the front of the cube, at the bottom.
Another feature we can see is some vertical structure in the blue and cyan dots, especially to the left and the right. These represent port scans, where a particular host machine is making connection attempts to a series of port numbers on a particular target machine. Such scans show up as vertical lines. Here we don't have a full line but only aligned dots, so we may be missing some packets, or the scan may be accessing only selected ports.
Well, that's about as far as I can go with my analysis. But you can see that if you had a real-time display of the last N minutes or seconds of activity, it would show you a visual picture of scans into your network. Probably be pretty hypnotic. Of course I'm not sure it makes sense to pay somebody to stare at it all day... you'd probably want to run a sped-up version at the end of the day and see if anything untoward leaped out.
Re:If this continues... (Score:1, Informative)
You mean like this [auralizer.com]?