Peter N. M. Hansteen
Anecdotal evidence indicates that may be possible to predict developments in real world conflicts from certain indicators in cybercrime traffic.
Is it possible to glean useful information about international developments or even predict real world attacks from the activity that we record in the logs of Internet-facing systems?
Note: Originally published on my blog which has the usual trackers, but also the archive of earlier postings.
Looking at data I collect for other, quite pragmatic, reasons I see a clear correlation between the run-up to the Russian invasion of Ukraine earlier this month and the password guessing activity targeting non-classified systems in my care.
I'll be backing up that assertion with data later, but first, a bit of background.
As returning readers already know, I have been running Internet facing systems for a select group of friends and family for decades. In the late noughties I noticed a pattern of slow, distributed password guessing that I dubbed The Hail Mary Cloud, summed up in the summary article linked here and links therein. The data I collect from those failed logins make it into a set of blocklists, along with data from a few other sources. And yes, this is also one source of new spamtraps, as noted in the blocklists article.
A few years after the original Hail Mary Cloud events, in January 2016, I started seeing Hail Mary-like activity again, and started collecting data (available in the raw here), but failing to see any new patterns worth writing about, never started a new article based on the data. Until now, that is.
The table here has the totals for number of attempts per month since then:
2016 | 2017 | 2018 | 2019 | 2020 | 2021 | 2022 | |
January | 27015 | 348020 | 17738 | 35143 | 34882 | 42866 | 2355 |
Febuary | 121675 | 329074 | 2115 | 32053 | 60605 | 39029 | 24218 |
March | 62254 | 498613 | 4648 | 29839 | 37477 | 29575 | |
April | 94335 | 271992 | 9588 | 38310 | 29941 | 27876 | |
May | 26428 | 106688 | 4782 | 55485 | 46207 | 24455 | |
June | 71321 | 65966 | 10831 | 75515 | 21947 | 36292 | |
July | 39088 | 49675 | 5865 | 47619 | 57082 | 20225 | |
August | 162529 | 65899 | 7631 | 59421 | 14030 | 62002 | |
September | 183196 | 26007 | 5804 | 85336 | 17814 | 31179 | |
October | 165295 | 16109 | 8211 | 82020 | 38185 | 6812 | |
November | 184660 | 28234 | 5395 | 58547 | 20734 | 3814 | |
December | 127288 | 15049 | 38320 | 82739 | 33650 | 5509 |
Feb 1: 66
Feb 2: 13
Feb 3: 50
Feb 4: 31
Feb 5: 35
Feb 6: 85
Feb 7: 13
Feb 8: 70
Feb 9: 28
Feb 10: 13
Feb 11: 32
Feb 12: 13
Feb 13: 48
Feb 14: 28
Feb 15: 30
Feb 16: 337
Feb 17: 2006
Feb 18: 1906
Feb 19: 1608
Feb 20: 2113
Feb 21: 2207
Feb 22: 2424
Feb 23: 1978
Feb 24: 2976
Feb 25: 3044
Feb 26: 2071
Feb 27: 992
The developments stand out even clearer when presented as a graph:
My regular readers will probably not be surprised to hear that #hailmary-ish #ssh #password guessing is way up (from historically low levels) during the last few days. I ponder doing a writeup. Should I go ahead and do that?
— Peter N. M. Hansteen (@pitrh) February 24, 2022
Update 2022-03-01: The month ended, and the final data for February 2022 are in. The counts for February 27 and 28 were 1509 and 1138 respectively, continuing the decline in new hosts attempting that we had been seeing over the previous few days. The total number of failed attempts for that month ended up at 25873.
The final month graph looks like this:
The full data for February can be found in this file as well as in the current year's .zip archive in the archive directory.