Its not random data, its almost-live attack/scan data.
Basically we packet capture everything, process it then shovel it off to our backend datastore. Its a minute or two delayed. I realize it may not be the most interesting thing to look at and I'll probably downsample stuff like that in the future, but its real!
I've seen unwanted contact from that IP 7600 times, its hit pretty much all of our nodes and appears to be scanning for some commonly known ports. Its probably a bot or someone attempting to gather intelligence for attacks.
Since its from China in the Hebei Province my guess right now its from the Alibaba datacenter there or possibly China's APT1 unit. Either way its doing bad stuff and you'd want to block it on your edge (if you have one) or load that IP onto a blocklist with your WAF.
Edit: I just updated the map data stream so it dedupes, it should make it a little prettier :)
7 comments
[ 2.7 ms ] story [ 23.2 ms ] threadThe data is sourced from the HashPlane threat intel network.
The data to the websocket is almost real time but its sampled so its not a complete threat feed. If you want to use the data please drop me a note.
CN (110.249.212.46) attacks AU (172.X.X.X) (Port PING)
... (x20)
CN (110.249.212.46) attacks AU (172.X.X.X) (Port PING)
I've seen unwanted contact from that IP 7600 times, its hit pretty much all of our nodes and appears to be scanning for some commonly known ports. Its probably a bot or someone attempting to gather intelligence for attacks.
Since its from China in the Hebei Province my guess right now its from the Alibaba datacenter there or possibly China's APT1 unit. Either way its doing bad stuff and you'd want to block it on your edge (if you have one) or load that IP onto a blocklist with your WAF.
Edit: I just updated the map data stream so it dedupes, it should make it a little prettier :)