Graph Exchange

This graph was produced with vulnerability data sniffed by the Passive Vulnerability Scanner (PVS) from Tenable Network Security and AfterGlow. A blog entry detailing this graph is located at Tenable's blog. The PVS sniffs vulnerability data such as client and server vulnerabilities, but also network 'trust' relationships such as which machines connect to a server on port 22. In the above graph, a host with an arrow to another host represents that the PVS has observed at least one network connection between those systems.

An image showing the post-AS9121 leakage connectivity. It is very easy to see the leaked route (the larger line) and which ASes that route was propagated to.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

An image showing the pre-AS9121 leakage connectivity.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

A view of the interconnections of a few of the core autonomous systems.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

The above image shows traffic flows on a small /24 subnet. The source IP address is represented on the left, and the destination IP addresses are on the right. Each square represents one unique host. The lines indicate traffic flows between source and destination IP addresses. The fan-out from left to right indicates a network scan, which created a flows from a single source host attempting to connect to a large number of hosts in the destination subnet.

For more on Flamingo, see http://flamingo.merit.edu.

This image represents a 10 second snapshot of traffic as seen at a busy Internet router. The image shows an interesting traffic pattern that shows a lot of flows destined towards a single large IP address prefix on 3 specific destination ports.

For more on Flamingo, see http://flamingo.merit.edu.

Same dataset as the Zotob worm 1 image but from an overhead view, showing the fan-out of destination hosts.

For more on Flamingo, see http://flamingo.merit.edu.

This series of images shows flows originating from a single source IP address going to different destination IP addresses on destination port 445. The traffic indicates suspicious traffic, related with the Zotob series of worms. The figures show flows over a 60 second period.

For more on Flamingo, see http://flamingo.merit.edu.

This graph was generated with psad (http://www.cipherdyne.org/psad/) running in --CSV mode against the iptables logfile that is distributed as a part of the Scan34 Honeynet challenge (see http://www.honeynet.org/scans/scan34/). The graph shows 92-byte ICMP type 8 packets directed against the Honeynet subnet 11.11.79.0/24. These packets are most likely associated with the Nachi worm (see http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html). Here is the specific command used to add the 92-byte search criteria:

# psad --CSV -m iptablessyslog --CSV-fields "src dst ip_len:92" --CSV-max 300 \
--CSV-regex "PROTO=ICMP.*TYPE=8" | perl afterglow.pl -c color.properties |neato -Tgif -o nachi_worm.gif

This graph was generated by using psad in --CSV mode against the Honeynet Scan34 challenge iptables logfile (see http://www.honeynet.org/scans/scan34/). This shows outbound traffic from the Honeynet subnet 11.11.79.0/24, and clearly shown are suspicious connections from the host 11.11.79.67 to external SSH and IRC servers; these are good indications that the system has been compromised.