The results after the latest updates are:

Windows is significant, although there has been a distinct scew towards this OS due to Conficker propagation, its still worth noting that prior to the last 7 months being imported data though December 2008 showed windows only 0.8% down on the values above, roughly evenly split between positions 2 & 3.. At the bottom end of the scale some interesting artifacts.

The site provides rich graph and chart interfaces, which are nicely interactive.  There are definatley some ideas I want to incorporate form this into my own Network Telescope management console.  It is however worth bearing in mind that his is a Eurocentric view and is only based on their observed traffic. As such the “attacking countries” view seems to be a bit skewed.

Interoute World view 2009-06-30

After digging around with squid and wireshark, its evident that a lot of the data is actually served up as XML files, and as such can potentially be postprocessed. The Adobe AIR Barometer Widget they provide also makes use of these. One issue I had getting this installed is you need Air 1.5.1, and the 1.0.8 version I had wouldn’t auto upgrade correctly.  A little disappointing in that I was expecting a map view, it provides the basics of a total count and cycles through various country stats.

Interoute Barometer Widget

Where the real value  comes form is having another independent source of reporting ( even at the highly granular level) that can be used to correlate observations with my own data sets, and those available form places like dShield and ISC. Maybe I should dust off my old Infocon alert plugin for Firefox and integrate some of this data.

• migrating the host for this blog, along with pretty much all my other FreeBSD boxes to FreeBSD 7.2.
• Trying out the new jail(8) features in 7.2 particularly the multip  ip and ipv6 support
• A move to wordpress 2.8, which while the upgrade was pretty painless Ive ruin into some hastles with plugins that break the nice widget selection system  under the admin panel – most notable of the plugins I’ve notice d causing this is wp-recapcha. Along with this has been a migration to somethign alittle more elegant than the boring Kubric Theme.
• A pilot version of my new squid external_acl  filtering software is being tested by two sites, so far with positive results.

Progress on the phd is plodding on with growing collection of rather interesting images and plots generation that I now need to try fathom and write about. with the university now on vac I should be able to make good progress in this direction.

One of the most fascinating and gripping books I have read in a while is Ed Macy’s Apache, which is well worth a read if you are into military biographies.

If you ahve novel research and are looking to get the best bang for yourl buck, this list can help you select the right forum to present in.  Particularly interesting is the statistics list showing acceptance rates for some of the major conferences over the last few years.

A more advanced version of the kind of output achievable is also provided showing how with the help of a pre-processing script, the SSH login process can be graphed:

Graphs are produced via an intermediate scripting language which has by design strong similarity to that used by Graphviz.  I’ll definatley be adding this to my toolset and seeing how it handles processing of some of the rather large data sets Ive got.

For the impatient some instructions are available for getting started. Now to work out what else to order form amazon so that the 40USD specail shipment fee hurts a little less ( thanks to our totally criminal and incompetent post office in South Africa)

Failing that its time to wait till the local places get round to stocking it.

My copy should hopefully be arriving in the next few weeks, but I’m looking forward to the Work done by John R Goodall, Gregory Conti and Kwan-Liu Ma as editors. I’m just sorry I’m not going to make VizSec 2008 this year.

The two papers that I presented are (links to the PDF slides):

• High level Internet Scale traffic visualization using Hilbert curve mapping – Barry Irwin and Nick Pilkington. This details the initial work we did using the Hilbert Curve Analysis tool for IP networks
• Using InetVis to evaluate Snort and Bro scan detection on a network telescope – Barry Irwin and Jean-Pierre van Riel. InetVis is the result of three years of JP’s work to build a scalable 3-D vizualisation tool for network traffic — primarily that collected by network telescopes.

Jan Monsch and Raffael Marty and have prepared the second beta version of DAVIX. And are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version. All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy’s upcoming book “Applied Security Visualization”.

If you want to participate in the beta test please contact: jan.monsch ät iplosion.com

What makes me quite happy is that they have included InetVis as one of their four chosen visual analysis tools on the live CD.

I’ve been paying with this since this morning and so far so good.

..For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity.

The Storm Worm is probably my favorite visualizations. He also has an interesting set of images entitled SpamPlants, based on input relating to the ASCII character frequency of spam messages.

Now this sounds like a great project for an aspiring security researcher with a graphical bent.

http://www.ctan.org/tex-archive/biblio/bibtex/utils/misc/rfc2bib.awk

Or other CTAN mirrors closer to you.

A sample of the kind of output is seen below (full resolution image is 990K) which shows destination IP addresses harvested from the Albany Schools Cache server during January through May 2008:


A plot of 53 million packets from the CAIDA telescope project – 27 Feb 2007 midnight to 6am:





With these higher resolution images available, analysis can be performed at a much finer grained level.

Fred Otten came up with the following script using good old sed, awk and some plumbing, that draws up a nice list based on an input Lyx file.


#!/bin/sh
cat $1 | grep key\ \" |\
awk '{ print substr($2,2,length($2)-2)}' | \
sed -e s/,/\\n/g | \
awk 'BEGIN {i=0} \
{ if (temp[$1]) { temp[$1]=temp[$1]+1 } \
else { temp[$1]=1; tmp[i]=$1; i++; }; } \
END { for (j=0; j { print tmp[j] " " temp[tmp[j]] } }' | sort


This gives a two column listing of the citation keys and their frequency count. This of course can be extended using further awk statements to transpose the columns, or sort by frequency, rather than citation key.

Mark Schenk has proviced some nice eexamples of other styles of export that one can use. Using these in conjunction with the Custom Export scripting built into Jabref, one should be able to achieve pretty much any kind of format or data manglin of references that you would require.

The 1.8 meg .bib file is probably a little large for general use but once can easily trim and copy entries required manually or using JabRef. Citations look like the following:

@MISC{rfc1466,
author = {E. Gerich},
title = {{Guidelines for Management of IP Address Space}},
howpublished = {RFC 1466 (Informational)},
month = may,
year = {1993},
note = {Obsoleted by RFC 2050},
number = {1466},
organisation = {Internet Engineering Task Force},
publisher = {IETF},
series = {Request for Comments},
timestamp = {2008.05.18},
url = {http://www.ietf.org/rfc/rfc1466.txt}
}

A resource certain to save typing or multiple c & p operations. The one possible change one may want to make is to include the RFC number in the document tile such as:


title = {{RFC 1466: Guidelines for Management of IP Address Space}}


Another changes may be to use the @TechReport type as opposed to @Misc. An other alternative (although out of date) is the repository at University of Utah Maths Department.

Related to this the W3C have a web page which allows for automated generation of bibTeX citation information for their publications.

Some issues specific to the Rhodes environment are noted at the end.

Get up to date:

aptitude update
aptitude upgrade
aptitude dist-upgrade

All fairly painless and out of the ordinary, bar the need to add the dapper-proposed repo to my /etc/apt/sources.list

Installing the requires base packages:

aptitude install update-manager-core

Before doing the upgrade I decided to set up the CDROM ISO as a local repository in order to save bandwidth whales etc.. (Having a system with real internet access, or a working apt-proxy may be a better solution). Once the Hardy DVD is available in a few weeks this may go a lot faster, as libraries such as QT and other components of main will be included in the larger image.

$ mount -t iso9660 -o loop ~bvi/ubuntu-8.04-server-i386.iso /cdrom
$ apt-cdrom add

This should show output similar tot he following as the CDROM is added tot he Repo list.

Using CD-ROM mount point /cdrom/
Unmounting CD-ROM
Waiting for disc...
Please insert a Disc in the drive and press enter
Mounting CD-ROM...
Identifying.. [b36baea778d37bbf48a3c8bd75b5cffb-2]
Scanning disc for index files..
Found 2 package indexes, 0 source indexes and 1 signatures
Found label 'Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)'
...


And should add a to the top of your /etc/apt/sources.list similar to the following:

deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted

Finally the update can be performed

do-release-update -p

The -p parameter is due to the fact that the LTS as defined at http://changelogs.ubuntu.com/meta-release-lts is still showing dapper as the LTS, and should be able to be omitted in the future. with the -p, the meta-release-lts.proposed file is used instead.

the bulk of the base operating system was happily upgraded form CDROM repo in a matter of minutes, and the remaining pile of mostly universe and multiverse packages took around an hour to download

3 hours and a reboot later and the server is happily running Hardy.

All in all its about the same time for doing a ‘buildworld dance’ with FreeBSD, along with a massive level of portupgrade.

Post Reboot

In order to validate the upgrade, we can make use of the Linux Standard Base support for Debian
utilities ( aka lsb_release)

We have gone from:

$ uname -a
Linux spy.ict.ru.ac.za 2.6.15-51-686 #1 SMP PREEMPT Tue Feb 12 16:59:15 UTC 2008 i686 GNU/Linux
$ lsb_release -a (output trimmed)
Distributor ID: Ubuntu
Description: Ubuntu 6.06.2 LTS
Release: 6.06
Codename: dapper

To:

$ uname -a
Linux spy.ict.ru.ac.za 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
$ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 8.04
Release: 8.04
Codename: hardy

In reflection, far less pain than I expected certainly not enough to make me want to employ a depenguinator on this server yet.

Rhodes Specific notes:

• Preferably use ubuntu.rucus.ru.ac.za as your repo unless you would like your quota flattened. Hopefully it will be up.
• ftp://ftp.rucus.ru.ac.za/pub/linux/ubuntu/hardy has the ISO files
• You will need appropriate proxy settings in order for the do-release-upgrade to be able to access the changelogs.ubuntu.com site.

A couple of issues still need to be addressed:

• Rework the source to we can maintain a single source three for Windows and Unix targets- this is mostly slog rather than thinking work.
• There is a bug in that some images are coming out a little wrong, but I think this may have to do with line termination issues the good old \r\n vs. \n issue again.
• Write some decent docs!

With a bit of luck Nick should be returning to Grahamstown for a month or so thanks to some funding from the Center of Excellence in the department. Working on the Hilbert project will be one of his main priorities.

The image is rendered using the Hilbert Curve Program developed in conjunction with Nick Pilkington, as a project for VizSec 2007 last year.

After rummaging around in one of my boxes at home I found a suitable replacement drive, and have taken the opportunity to do the OS upgrade — re-install — from 5.0 to 5.4. Other than the usual fun of making sure the same packages are installed, and minor tweeks in configuration files due to version upgrades, things went very smoothly, with the only real hiccups, being wet ware problems as I mounted partitions in the wrong place and had finger trouble copying things to the right directories.

In other news, progress is being made on a number of fronts

• Thanks to Jacot, Guy, David and Jock, Ive now got a proper Darknet running and collecting some very interesting backscatter data. The next coupe of weeks will focus on actually working out what exactly to do with the data, but for now everything is being logged to good old pcap files. As an aside, anyone seeing massive numbers of probes to 1434/udp (MS-sql-M) ??. What this means is that I am actually making some kind of progress on what up until now has been a rather elusive PhD
• My first batch of Masters Students Russell, Dominic and Yusuf have also started on the final slog to actually get their research and ideas down onto paper. Somewhat nervous times for me since they are my first batch, but I have full confidence in you all!
• Two weeks to go untill my op to remove the broken bits of bone in my foot. I cant wait. Weather is starting to improve ,and its getting light earlier, and I’d love to be out and about on my bike, o hopefully three weeks and I can start getting back into action.

I’ve also been working on some other bits and pieces I’ll post in due course, fornow its good to be back

PS – For those of you that were following Planet Rhodes or Planet Security, they are now updating correctly, and regularly. I notice a couple of dead links on both, and I’ll weed them out in due course.

This USD 500K environment aims to be able to perform a complete simulation of Internet Activity, by its 64 processor nodes.the stated outcomes are:

“Dedicated to creating a virtual Internet for the purpose of researching, designing, and testing cyber defense mechanisms, the proposed one-of-a-kind facility will be the catalyst for bringing together top researchers from several disciplines for a common goal of making computing safer. Unlike computer-based simulations, real attacks will be played out against real equipment. ”

I really really want one :-) or at the least I think somethign like this could prove valuable for the model evaluation that I’m looking at for my PhD Research. What I am looking forward to on a more practical level is when they start releasing some more detailed design documents and software. We have massive computing facilities in terms of the various large undergrad and general access labs on campus — the majority of which lie completely unused over the long December break. Depending on the complexity of the setup, I would hope it would be possible to construct at least a scale replica , although temporary.

This is definatley a project I will be watching with interest as it grows. The ISEAGE Overview document (pdf) currently provides some of the motivation for such a facility.