Key Pages: Home | WhoIs | TraceRoute | Timeline | Investigations | WikiSyntax | Recent Changes
Recently Viewed: Home > WhoIs > TraceRoute > Timeline
Timeline
Traffic Logged By Day

Original Pic made with Ruby and ImageMagick against the whole logfile provided. Events recorded per day.



Drill Down

DailyFeb1 -
DailyFeb2
DailyFeb3 - Huge spike in traffic (maybe blaster variant ?)
DailyFeb4 - Dst Port 12345 ? not really...
DailyFeb5
DailyFeb6 - A quiet day
DailyFeb7 - compromise ? outbound traffic - Chuvakin's described SSL exploit ?
DailyFeb8 - compromise ? outbound traffic
DailyFeb9
DailyFeb10 - crash ? compromise ?
TheGap
DailyFeb11 - honeynet put back online ?
DailyFeb12
DailyFeb13 - packet from Microsoft
DailyFeb14 - Valentines' Day
DailyFeb15
DailyFeb16 - First packets from 127.0.0.1 - Blaster workaround' side effect
DailyFeb17
DailyFeb18
DailyFeb19
DailyFeb20 - 11.11.11.67 begins to talk again after having being quite for a while (also check 67Big)
DailyFeb21 - Increase in LDAP traffic/scans
DailyFeb22 - Dshield reports increase in LDAP traffic/scans
DaliyFeb23 - More on the LDAP scans
DailyFeb24
DailyFeb25
DailyFeb26
DailyFeb27 - Honeynet is taken offline



Traffic Logged By 10 Minutes Intervals
Even if day-by-day activity is normally sufficient to spot 'big' events and trends, the display of activity per each 10-minutes interval gives precise indication about some scans and bursts of traffic and gaps in the data. In short, it definitely gives a better image of our timeline. The GAP on Feb 10th is very evident here. For information about this kind of graphs check also ToolsUsed and HeatCharts

Open the graph (bigger) - DetailGraph (TheGap is much more visible here)



Consult References

Compare To Incidents.org's Record (Dshield)
http://isc.incidents.org/alldiaries.html?month=2&year=2004

Login