Mapping IP addresses on a actual USA map.

elementalwindx · September 7, 2011, 2:03pm

I have some firewall rules in place that add ip addresses to a list banning that person from that port for 10 days. I would like to be able to plot these addresses automatically to a actual map as I would also like to eventually find a way to automate sending emails to abuse departments for people that brute force our rdp, ftp, ssh ports.

Does anybody have or know of a method to automatically plot these ips to a map? Thanks!

MCT · September 8, 2011, 2:46pm

While it is possible to get a general geographic location based on ISP netblocks you’ll be mapping to a city or a county at best.

The majority of brute force attacks come from compromised machines which are likely victims of brute force attacks themselves. You can send info to abuse departments all day long, it rarely if ever gets acted on because there are so many. You can send the information to the FBI, but it’ll get ignored because there is an overwhelming amount of cases already and only high priority ones get looked at.

If you have your logs dumped to a remote machine it’s fairly easy to write scripts to parse, lookup, and automatically email abuse addresses.

Welcome to the Internet, the best thing you can do is blacklist the addresses for a bit and move on. The only way to really impact the problem is if you have the skills to reverse engineer the implants and publish the information.

elementalwindx · September 8, 2011, 8:58pm

MCT:

elementalwindx:

I have some firewall rules in place that add ip addresses to a list banning that person from that port for 10 days. I would like to be able to plot these addresses automatically to a actual map as I would also like to eventually find a way to automate sending emails to abuse departments for people that brute force our rdp, ftp, ssh ports.

Does anybody have or know of a method to automatically plot these ips to a map? Thanks!

While it is possible to get a general geographic location based on ISP netblocks you’ll be mapping to a city or a county at best.

The majority of brute force attacks come from compromised machines which are likely victims of brute force attacks themselves. You can send info to abuse departments all day long, it rarely if ever gets acted on because there are so many. You can send the information to the FBI, but it’ll get ignored because there is an overwhelming amount of cases already and only high priority ones get looked at.

If you have your logs dumped to a remote machine it’s fairly easy to write scripts to parse, lookup, and automatically email abuse addresses.

Welcome to the Internet, the best thing you can do is blacklist the addresses for a bit and move on. The only way to really impact the problem is if you have the skills to reverse engineer the implants and publish the information.

I know all of this. but I’m also trying to see how much is coming from our competetors area of residence, and how much is coming from other countries.

Can you give me better direction with this? I’m using kiwi for syslog too btw.

MCT · September 8, 2011, 11:09pm

Why bother with maps it’s easy enough to find what netblocks they use. You can have a script count up unique occurrences out of your logs and give you a count.

If you want to be evil you can always write scrips to update NAT rules to redirect attacks back to the source.

elementalwindx · September 8, 2011, 11:20pm

How could I do that?

oeyre · September 9, 2011, 5:02am

Bad idea.

If the source address has been forged you are attacking someone that has nothing to do with the traffic.

Just temporarily blackhole it and move along.

MCT · September 9, 2011, 12:11pm

That’s why it’s defined as something that’s evil

You are not attacking anyone, and redirects from bots are essentially non-existent. It’s simple enough to check the source address as well for proxy functionality.

SSH requires a valid return address for responses. You can’t forge a fake address and have it work.