The goal is to educate people (originally my kids) about one particular aspect of cybersecurity. I love it when people use the site for this purpose.
Yep, with ~80 knocks coming in per second and two 3D globe visualizations, it does make a lot of use of the browser. That said, it runs smoothly even on an iPhone browser. The server scales really well (longtime load average of 0.05 on a $6.75/year VPS :-).
OP here. Check out the new https://knock-knock.net. v1 got 40,000+ visits from HN alone, hoping you'll find v2 worth checking out too.
Watch bots trying to break into my honeypots, gain access to my files, place expensive VOIP calls, attack my HTTP server, and relay SPAM email. The new knock-knock.net shows you SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP attacks in real-time: where they are coming from (check out the spinning globe heat-map!), the most common usernames and passwords, info on why some of those usernames and passwords are being used, the worst offending IPs, and of course the ISP wall of shame. View the stats for the protocols together, or filter by protocol. All presented in what I hope is a very cool UI.
The new knock-knock.net aggregates attack info from multiple servers around the world and presents the info in one place, hence you'll see attacks come in at a furious pace, and may want to use the pause button (or space bar). Turning on audio (the speaker icon) lets you hear what some have called the "background radiation of the internet" on a virtual geiger counter. This is intended to be a fun, educational site, not a serious cybersecurity tool.
A few random, interesting things:
1) The locations of the bots doing the various protocol attacks differ pretty dramatically. For example, Romania, Poland, and the Netherlands are currently big for SSH bots, India leads for SMB, China is tops for RDP, and France for SIP, but the US is #1 overall.
2) SMTP attempts are usually sentry emails. SMTP bots first try to send an email to themselves so they can tell the server is a working relay. Notice that nearly all of the emails include my IP address in the subject or body (it appears here redacted as <target-ip>) so they can tell the relay is operative.
3) The Internet has been blocked for nearly all of the citizens of Iran since the January protests. However, I found it surprising that attacks still originate from servers there.
4) RDP and SIP bots will connect to a server and spam it practically non-stop. I had to set up an autoban for these protocols at 2,000 knocks - much lower than the 10,000 knock ban set for the other protocols.
5) As of this posting, we're still waiting for knocks from several African countries. They tend to have fewer internet servers than the rest of the world. However, we did get knocks from Jersey (the island, not the state or cow), Nauru (~10K people), and Monaco (~2 km^2). Surprising that we're still waiting for EU member Slovenia!
6) We've even seen knocks from space! Well from ISP SpaceX/Starlink anyway. You would think this would be expensive, but bots are often replicated on machines they infect, and they aren't paying the bills.
7) The worst offending ISP is ironically named "Unmanaged Ltd." Interestingly, it was previously DigitalOcean, but shortly after v1 was posted to HN and r/digital_ocean, and user comments skewered that ISP, their bot attacks dropped over 99%! Coincidence? Maybe. Maybe not.
Works great on desktop or mobile — try it out and let me know what you think. Happy to answer questions and take suggestions.
Actually it looks like it's because DO accepts Paypal, most hosts will require a credit card because of PP fraud but I guess they're going for markets where it's not common to have one. They do have free credits but PP billing requires a $5 charge which is already higher than a lot of other VPS plans.
No, it's not really because of PayPal. You can verify with a card, and stolen (or virtual) cards are cheap and easy to get.
Even if you do the PayPal way and pay $5, that's still better specs and lasts longer than what you get with a $5 VPS, because the trial credit is $200 for a few months (or if you go the commonly abused method: GitHub student, you can get $200 for a year).
And then combined with poor anti-fraud, poor abuse handling
I think it's probably harder to sign up for hosting with a credit card than you think. It was a struggle for me until I managed to get a secured credit card (A deposit is made against the limit) which is very different from a debit card (Almost nobody accepts these) or a virtual card (these were impossible for me to get)
I didn't specify credit card and what do you mean almost nobody accepts debit cards? My entire life I have pretty much only used debit cards everywhere and not once have I had an issue, especially not at hosting providers. Hetzner, AWS, Azure, DigitalOcean, Vultr, Linode, GCP, I can keep going, all of these have accepted my debit cards.
And I was also not just guessing when I said those things, I have been in those circles previously.
Fail2ban would cut down on the noise quite a bit. I’ve installed it on other servers and have recommended it to others. But then we wouldn’t have all of this beautiful bot traffic to visualize.
My understanding is that they are a more general purpose data collection, and visualization framework. Potentially you could build something like this with that software, but they do not have knock-knock.net’s functionality built in.
Sadly? Intentionally! The IP is hiding behind Cloudflare mainly to make it much harder for the bots to figure it out. Blocking you from messing with the stats is just icing on the cake. :-)
I don't think hosting the site behind Cloudflare will affect the number of SSH brute-force attempts, these bots are just brute-forcing the entire IPv4 space aren't they?
Yep, with ~80 knocks coming in per second and two 3D globe visualizations, it does make a lot of use of the browser. That said, it runs smoothly even on an iPhone browser. The server scales really well (longtime load average of 0.05 on a $6.75/year VPS :-).
Thanks!
reply