Home » Graphs

Video - Visualizing a scan of a VOIP server (honeypot)

Posted February 16th, 2011 by ben
Video - Visualizing a scan of a VOIP server (honeypot)

http://dataviz.com.au/blog/Visualizing_VOIP_attacks.html
Through our support of the Honeynet Project, we recently attempted a new approach to visualizing attacks on their VOIP honeypots.
With the increase in popularity of VOIP telephony, attacks are becoming more prevalent. The compromise of a VOIP system can cost the victim over $100,000 in real cash. For example, an Australian based company suffered $120,000 in toll fraud as a result of a VOIP compromise.
The video is intended to be a high level (if not stylized) visualization of the early stages of a cyber criminal compromising a VOIP system.

Toolbox ?

On February 22nd, 2011 Curious says:

Any change of getting more information on how this video was created ? i.e. tools and scripts ?

Tools and processes used

On February 23rd, 2011 ben says:

Sure thing Curious. The main tool 'gltail' is within the credits, but I can definitely elaborate.

A summary of the process and tools follows.

Collection of data
The IP address is just a common garden variety home ADSL IP.
The honeypot itself listens on UDP 5060 for SIP sessions. There are a few about, try http://dionaea.carnivore.it/ , we (the honeynet project) built in a SIP module into it during the Google Summer Code last year.

The bubble app
I used a ruby based tool called "gltail" http://www.fudgie.org/ on a mac platform. It can take some time installing and getting dependancies.
Its designed to visual apache logs in real time. It tails apache log files, and creates the bubbles.
There is a configuration file that lets you play with the sizes, colours etc.

Data parsing
There were two challenges here, for which I wrote some basic and very untidy bash shell scripts (a lot of grep, sed and awk etc) to manipulate text files.

  • gltail reads in apache.log files. It draws the bubbles such that each bubble represents an element of the web request. All I did was to create a file that looked like an apache logfile, but created the attributes of the SIP scan, instead of a web request. This file, I called.. sipache.log. I do this a lot, use existing tools and bashing my data into shape so it can read by whatever tool I'm playing with. I've got other examples of this tactic on the website (eg Circos, logster, logstalgia, gheat etc).
  • gltail ssh's into a webserver and "tails" this sipache.log, looking for new entries and giving the tool the realtime nature. Because my data already existed (it was collected a couple of weeks earlier), I had to create a simple bash script to parse the base file, and populate the "realtime" log that gtails reads. Just grepped the base file every n seconds and cat that onto the end of the sipache.log file, which gltail will automatically tail.

    Video
    Just a matter of 1: capturing the screen as a video and 2: doing some video editing. There are lots of free/paid tools that do one or the other really well and/or cheaply. I like using Camtasia http://www.techsmith.com/camtasia/ , because it both captures and edits, and fairly easy to use, they also have a 30 day trial.

    This work is not directly targeted at an expert security audience, so I warn don't get caught up too much detail, it's partly educational for lay people as well.
    The main goal is not to analyse the low level detail, but to give an impression as to:
    1) The extent/scale of a typical scan of a single IP, and what wider cesspool of the internet might look like.
    2) The notion of a honeypot (good guy) fending off an attacker's scan, and learning/sharing from it.
    I was experimenting with new, interesting, and topical data sets, and to play with some new techniques.

    Hope this is helps a bit. Ping me if you wanted any more detail on any of this.

    cheers
    Ben Reardon