Day 12: South America

South America Attacks!

Certain counties in South America are a large source of malicious traffic on the internet. This is due to scads of misconfigured MikroTik routers, Ubiquiti network gear, illegally obtained Android-based IP TV boxes, unpatched cameras, and scores of other unmaintained and unmonitored systems.

I used data from work to retrieve the volume of attacks and probes we’ve seen from these countries and graphed them below.

Normally I shy away from using geolocation data with anything “cyber”. Even country-level attribution is a bit wonky given how nefarious the IPv4 trade markets are. But, the margin of error isn’t yuge, and it gives me a subject few others will talk about on this fine twelfth day.

To mix it up a bit, I made three choropleths:

One with just the raw count
One with the count normalized by population (per-100K)
One with the count normalized by the number of IPv4 addresses IANA has allocated to that country (again, per-100K)

By sheer volume, Brazil is the worst of the worst, but you can see the list change depending on the other normalized values.

You can use our CLI tool to get other summary stats for different types of probes/attacks. Have some fun with it!

Code

Plot = require("@observablehq/plot");

saPlot = function ({ val = "", title = "" }) {
  return Plot.plot({
    className: "sa",
    projection: {
      type: "mercator",
      domain: {
        type: "MultiPoint",
        coordinates: [
          [-81, 12],
          [-35, 12],
          [-81, -56],
          [-35, -56]
        ]
      }
    },
    style: {
      background: "black"
    },
    color: {
      scheme: "cool",
      legend: true,
      label: title,
      type: "log"
    },
    marks: [
      Plot.geo(gnSaStats, {
        fill: (d) => d.properties[val],
        stroke: "white"
      }),
      Plot.text(
        [
          gnBump
            .filter((d) => d.measure === val)
            .map((d) => d.country)
            .reverse()
            .join("\n")
        ],
        {
          x: -28,
          y: -38,
          fill: "white",
          fontSize: 30,
          fontStyle: 700,
          textAnchor: "middle"
        }
      ),
      Plot.text(["RANK↓\n\n\n\n\n\n\n\n\n\n\n\n\n"], {
        x: -28,
        y: -38,
        fill: "white",
        fontSize: 30,
        fontWeight: 700,
        textAnchor: "middle"
      }),
      Plot.tip(
        gnSaStats,
        Plot.pointer(Plot.centroid({ title: (d) => d.properties.sovereignt }))
      )
    ]
  });
}

gnSaStats = FileAttachment("static/data/gn-sa-stats@4.geojson").json()
gnBump = FileAttachment("static/data/gn-sa-bump@1.json").json()

html`<div style='display: flex;'>
  <div style='width:33%;'>${saPlot({val: "count", title: "Total Probes Attacks From"})}</div>
  <div style='width:33%;'>${saPlot({val: "per_cap", title: "Attacks/Probes Per-capita (100K) From"})}</div>
  <div style='width:33%;'>${saPlot({val: "per_ip_cap", title: "Attacks/Probes Per-IP-allocation-capita (100K) From"})}</div>
</div>`

# Day 12: South America {.unnumbered} <style> td, h2 { border: none; border-bottom: none !important; } figure { background: black; padding: 20px; } figure> svg.sa-ramp { display: block; color: white; background: black; height: auto; height: intrinsic; max-width: 100%; overflow: visible; } </style> ## South America Attacks! Certain counties in South America are a large source of malicious traffic on the internet. This is due to scads of misconfigured MikroTik routers, Ubiquiti network gear, illegally obtained Android-based IP TV boxes, unpatched cameras, and scores of other unmaintained and unmonitored systems. I used [data from work](https://viz.greynoise.io/query?gnql=source_country:%22Argentina%22%20OR%20source_country:%22Bolivia%22%20OR%20source_country:%22Brazil%22%20OR%20source_country:%22Chile%22%20OR%20source_country:%22Colombia%22%20OR%20source_country:%22Ecuador%22%20OR%20source_country:%22Guyana%22%20OR%20source_country:%22Paraguay%22%20OR%20source_country:%22Peru%22%20OR%20source_country:%22Suriname%22%20OR%20source_country:%22Uruguay%22%20OR%20source_country:%22Venezuela%22) to retrieve the volume of attacks and probes we've seen from these countries and graphed them below. Normally I shy away from using geolocation data with anything "cyber". Even country-level attribution is a bit wonky given how nefarious the IPv4 trade markets are. But, the margin of error isn't yuge, and it gives me a subject few others will talk about on this fine twelfth day. To mix it up a bit, I made three choropleths: - One with just the raw count - One with the count normalized by population (per-100K) - One with the count normalized by the number of IPv4 addresses IANA has allocated to that country (again, per-100K) By sheer volume, Brazil is the worst of the worst, but you can see the list change depending on the other normalized values. You can use [our CLI tool](https://github.com/GreyNoise-Intelligence/pygreynoise) to get other summary stats for different types of probes/attacks. Have some fun with it! ::: {.column-screen} ```{ojs} //| echo: false Plot = require("@observablehq/plot"); saPlot = function ({ val = "", title = "" }) { return Plot.plot({ className: "sa", projection: { type: "mercator", domain: { type: "MultiPoint", coordinates: [ [-81, 12], [-35, 12], [-81, -56], [-35, -56] ] } }, style: { background: "black" }, color: { scheme: "cool", legend: true, label: title, type: "log" }, marks: [ Plot.geo(gnSaStats, { fill: (d) => d.properties[val], stroke: "white" }), Plot.text( [ gnBump .filter((d) => d.measure === val) .map((d) => d.country) .reverse() .join("\n") ], { x: -28, y: -38, fill: "white", fontSize: 30, fontStyle: 700, textAnchor: "middle" } ), Plot.text(["RANK↓\n\n\n\n\n\n\n\n\n\n\n\n\n"], { x: -28, y: -38, fill: "white", fontSize: 30, fontWeight: 700, textAnchor: "middle" }), Plot.tip( gnSaStats, Plot.pointer(Plot.centroid({ title: (d) => d.properties.sovereignt })) ) ] }); } gnSaStats = FileAttachment("static/data/gn-sa-stats@4.geojson").json() gnBump = FileAttachment("static/data/gn-sa-bump@1.json").json() html`<div style='display: flex;'> <div style='width:33%;'>${saPlot({val: "count", title: "Total Probes Attacks From"})}</div> <div style='width:33%;'>${saPlot({val: "per_cap", title: "Attacks/Probes Per-capita (100K) From"})}</div> <div style='width:33%;'>${saPlot({val: "per_ip_cap", title: "Attacks/Probes Per-IP-allocation-capita (100K) From"})}</div> </div>` ``` :::