You can watch the modern day cyber war play out in real time with the help of this map from IT security firm Norse.
Norse maintains a massive network of sensors across more than 200 data centers in over 50 countries, at least eight million of them in total. These “honeypots” are designed to look like everything and anything that connects to the internet — from grandma’s new netbook to ATM machines, water treatment plants and even gaming servers. The web is designed to detect traffic from bad actors around the world and flag their IP addresses as a danger to other users.
All that information contributes to Norse’s subscription service, called Darklist, what Norse says is “a live, continuously updated list of the highest risk IPs.”
“We track the top three to five million worst IPs on the internet,” Jeff Harrell, the vice president of product marketing at Norse, told Polygon. “Each of the IPs on there will have a certain score, and then a lot of times what our customers will do is they’ll take scores of 90 and above and just block them.
“That way, before traffic from that IP gets anywhere past the network edge, our clients are sure that those IPs aren’t getting in for any reason. Even if it looks like a legitimate connection, the reason they’re on the list is because it’s not going to be a legitimate connection.”
Traffic from IPs on the Darklist is used to populate Norse’s real-time attack map. But what you’re seeing is, in reality, only a fraction of the traffic that they monitor.
“We process over 150 terabytes of data a day,” Harrell said. “What you’re seeing is just a little bit of cherry-picked data, because we can’t show you all of it or it would just be a mess. Your browser couldn’t render it. Every day you’re seeing a lot of attacks against the U.S., which is pretty common. If you left it on for a couple of hours you would certainly see it balance out, though. There’s always a lot of attacks against China and against North Korea.
“There are very rarely attacks against Canada, for whatever reason. I guess they’re just too nice.”
Whether or not the traffic visible on Norse’s map is from hacker groups like LizardSquad, or even nation states like the U.S. and North Korea, isn’t always clear. Much of the traffic on the map is from botnets, groups of computers in the wild that are under control of malicious software. Control of botnets can change hands, and botnets will come and go on a regular basis. But sometimes, Harrell said, you can see little pockets of activity that are recognizable.
“You’ll see a lot of attacks coming out of north eastern China,” Harrell said, “or going to north eastern China. That’s actually North Korea’s infrastructure. So you won’t see a lot of attacks coming out of North Korea proper, but you will see them coming out of this one specific dot in north eastern China. And that’s because that’s where the exit point for North Korea’s internet is.”
For its part, Norse executives are still unsure if North Korea was responsible for the attack on Sony. You can see Norse’s senior vice president Kurt Stammberger discuss that recently on MSNBC.