u/Desperate-Second-887

When I put my first server up on the internet, I was shocked by the number of bots that immediately tried to break in. I showed the logs to my kids, and they asked "where are all these bots coming from?" To answer this question visually, I built https://knock-knock.net . My goal was to build a visually appealing, educational, and fun site that shows the origins of the bots, the most commonly attempted usernames and passwords in credential attacks, as well as the worst offending ISPs. My newest version here reveals attacks across multiple internet protocols, and across multiple servers, aggregated into a single display.

Click the speaker icon to hear a virtual geiger counter detect what has been called "the background radiation of the internet." If the info is being presented too quickly, hit the pause button or space bar.

Technical info: I built a set of python-based honeypots feeding into a SQL database, with a Uvicorn front-end receiving knock information via websockets.

Have fun. Source code is available at https://github.com/djkurlander/knock-knock

Visit https://knock-knock.net for live data.

A few months ago I posted a web site that I built to show hostile bot traffic hitting my seemingly unprotected VPS. Since then, I have expanded the honeypot to support Telnet, FTP, RDP, SMB, SIP, HTTP, SMTP, in addition to SSH. The site now shows all of my idlers (8) feeding into a single aggregate display. See the bots' locations, favorite usernames, passwords, an ISP Wall of Shame, and more, all of which can be filtered by protocol.

Click the speaker icon to hear a virtual geiger counter detect what has been called "the background radiation of the internet". If the data is coming in too fast, hit the pause button or space bar.

The source is available here: https://github.com/djkurlander/knock-knock

Have fun, and send comments or questions.

To see the latest data, visit: https://knock-knock.net

A 3D heatmap globe, showing bots attacking my servers in realtime. The globe shows the sources of over 1 million attacks across multiple internet protocols. It uses colors and country extrusion heights to indicate the worst offending countries. With every attack, the globe and leaderboard update to show the origin of the attack with a green pulse (and optional sound).

Interesting Geographic Notes:

1. The locations of the bots doing the various internet protocol attacks differ pretty dramatically. For example, Romania, Poland, and the Netherlands are currently big for SSH bots, India leads for SMB, China is tops for RDP, and France for SIP, but the US is #1 overall.
2. The Internet has been blocked for nearly all of the citizens of Iran since the January protests. However, attacks still originate from Iranian servers.
3. As of this posting, we're still waiting for knocks from several African countries. They tend to have fewer internet servers than the rest of the world. However, we did get knocks from Jersey (the island, not the state or cow), Nauru (~10K people), and Monaco (~2 km^2). Surprising that we're still waiting for EU member Slovenia!
4. We've even seen knocks from space! Well from ISP SpaceX/Starlink anyway. You would think this would be expensive, but bots are often replicated on machines they infect, and they aren't paying the bills.

Tech: Built with python-based honeypots, feeding into a SQL database recording all the info for posterity. The front-end is a uvicorn-based server communicating with the backend via websockets. Globe library courtesy of Globe.GL.

Data source: A SQL database storing over 900,000 Internet bot attacks, aggregated from honeypots on 8 different servers. Visit https://knock-knock.net to see a live presentation of that data.

Visualization: a dynamically rotating 3D globe heat map, with countries rendered as extruded polygons having a height and color reflecting the number of attacks seen so far. Accompanied by a scrolling leaderboard, with globe and leaderboard pulses in sync with each knock.

Audio Visualization: Accompanying "clicks", once for each attack (or "knock"), are intended to represent a geiger counter, measuring what is often referred to as "internet background radiation."

Underlying Technology: A set of honeypots for SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP protocols, communicating with the browser via web sockets. The globe code provided by Globe.GL.

To see and hear this live, visit: https://knock-knock.net, which also shows a live feed of the bot attacks, the most frequent usernames and passwords attempted, an ISP Wall of Shame, and more. Click the speaker icon to hear the "internet background radiation".

Source is available at https://github.com/djkurlander/knock-knock