Most dangerous time on the Australian Internet
Shown below is a visual of a time series analysis representing malicious activity reported by our 6 most active and reliable SensorNET honeypots. These honeypots have been deployed for between 9 months and 2 years in the Australian IP space. our honeypots are designed to detect malicious network activity in a passive and safe manner, you can read more about the background of our SensorNET here.
Each one of these blue dots represents a group of other people's compromised computers attempting to compromise our honeypots in an effort to get it to join a botnet. All of this happens in the background, and does not require any action by the owner of the computer, or even for them to be sitting at the compromised computer.
Some of these attacks come from computers in Australia, and many come from other countries as well. We have done some visual analysis on the location of these attackers in past blogs using geographric heatmaps here and with a tool called Circos here.
While there are a lot of factors involved in malicious activity on the internet. I tried to keep it simple, and this visual does a reasonable job of helping us understand when malicious network activity peaks.
Relatively little activity is seen in the early hours between 3am and 7am. Then we see a substantial, and consistent uptick in activity on every day between 8am and 9am. This may be caused by people turning on infected PC's, which then go and scan for new victims at this time. Throughout the day, activity generally increases, peaking around the middle of the night. The old adage 'beware the midnight hour' seems to be applicable even on the internet (Hence the spooky green bar graph, just for fun).
From our results, it appears just after midnight on Friday and Thursday nights would probably be the most dangerous time for an unattended, insecure computer to be on the Australian internet. Of course there is actually no 'safe' time for such a computer to exist on the Internet, but it is interesting to do this analysis.
Each one of these attacks is preventable by using a proper firewall, good practice, antivirus, and security patches. To avoid contributing to the blue dots on this visual, read AusCERT's advice here on how to best to protect your computers.
Helping to understand our cyber threat environment so that decisions on mitigations/controls are better informed is really one of our key goals, particularly as plans are under-way for the roll-out of the $43 billion Australian National Broadband Network, which will clearly need to consider cyber security as a major stakeholder.
If you have a similar dataset that you are interested in studying in this manner, send me an email at ben@honeynet.org.au