Attack Map

Show map in full screen

About the data

The data is collected by various SSH Honeypots operated by GovCERT. These are mainly located in Switzerland. Currently GovCERT collects information about the background noise in the Internet. This information serves to distinguish targeted from semi- and non-targeted attacks. If an offending IP has been observed on different honeypots regardless of their location, the attack is most likely non-targeted. If an IP is only observed at one honeypot, this IP may be interesting. If it can be observed on non-exposed honeypots within sensitive networks, the attack may be targeted and should be analysed further. Additionally, the statistics clearly show that some networks are the origin of many attacks and may be blocked in order to avoid any risk and reduce the amount of logfiles to be analyzed.

Action recommended

The Honey Net needs to be developed further, using more protocols and more probes. In a second step probes should be placed within specially guarded networking zones in order to detect targeted attacks. Networks from which attacks originate in a great number over a longer period should be blocked at the perimeter.

Back to top