Attacks on a home DSL connection

Summary

The below map displays one day worth of portscans to a regular DSL connection, sorted by attack origin (or supposed origin). If you wish to know a more technical explanation, plese scroll down to the Detailed section. Total attacks since today: 20

Details

There is a fair amount of technology that went into creating the simple-looking map above, including OSSEC, OpenStreetMap, OpenLayers, Django, Python, SYSLOG, Postgis/Postgres, Apache, mod_tile, Mapnik and mod_wsgi. There are other technologies as well (ESX for the virtualization, Zenoss for the monitoring, and so forth), but they are not really relevant. Since I'm not really in a typing mood for now, I'm going to make a quick drawing to illustrate the the flow and relationship between attack and request [attack = portscan, request = viewing map].

Update: I've migrated this page off my DSL connection and onto my normal server -- however, while this page is hosted on my server, the attacks are still on my home connection. Additionally, I've changed one line of code to use the OSM website instead of generating the tiles myself. This allows more details for each suburb, and I can turn off the Tiles server to save a few cycles, and a few watts. (Although mod_tile has worked flawlessly for me for many months).

Attack Process: I have configured my Cisco to forward syslog logs to my monitoring server, which are then consumed into OSSEC. If a certain threshold is met, I will receive an email that somebody has tried scanning my public IP. Regardless, each IP is recorded into a log file, firewall.log. I wrote a script (thanks, Python!) utilizing PyParsing to extract the IP address out of the log, run it through GeoIP translation, and output it into a partial javascript file.

Map Request Process: When a request comes in it first hits a reverse proxy that splits up requests to labs.kelvinism.com from tiles.kelvinism.com. A normal request, say to this page, will pass through to the normal web server that is running Django. I've used Django to stitch together some javascript from OpenLayers (to generate the map), the partial javascript generated from the OSSEC log, and some other javascript to generate the lines and points. When the map is loaded it makes repeated calls to tiles.kelvinism.com to fetch the small tiles that are being stitched together. Although only one line of code would allow me to use the OSM general server, I decided to implement a tile server myself. The tile calls hit Apache, which has mod_tile built into it, then queries Postgis/OSM, and with the help of Mapnik, generates the individual tiles. In the end you are left with a map of portscans.

Why?

This is a really good question. I guess this idea just sort of evolved after several little sessions/missions. Maybe I was just tired of seeing all the alert emails come in, but never really thinking where the scans were coming from. Maybe I just wanted to show people the importance of firewalls.

Additional Resources

• Using Cisco IOS with OSSEC
• More IOS+OSSEC examples
• PyParsing and a tutorial