Circos – Applying a genetic mapping tool to Internet DDoS attack campaigns


This project was done for the Shadowserver Foundation. They are a volunteer, Not for Profit organization who deal with the capture, analysis and dissemination of data and intelligence relating to nefarious activity on the internet. Shadowserver provided us with one day worth of data for us to apply some known techniques, and experiment with some new ones.

Shadowserver and other security researchers collect data that indicates that a computer coming from an IP address is infected – sometimes these are called drones or bots. This data is collected by taking control of the server that issues “Command and Control” (or C&C) instructions to these drones. The infected bots periodically attempt to contact this C&C server, so the IP address of the bots and the time is logged is known. Where possible, this information is then given to the networks responsible for these IPs so that the bots can be cleaned up.

I used a tool called “Circos” to create these graphs. Circos was designed for the study of genetic attributes. Most people find these circos graphs a challenge to understand at first, if so – stick with it as it’s worth the effort.

The circos graphs show the relative prevalence of trojan families per country.
Note which countries are most active.

Leave a Reply

Up ↑

%d bloggers like this: