Recently I developed an application for Troy Mursch of Bad Packets Report to help him track a botnet he calls "Mirai-like". The name refers to a similarity between a network signature observed in both this and the Mirai network of infected hosts. The signature can be traced to the Mirai source code, wherein packets sent from the hosts use the destination IP address as the TCP sequence number. Troy has captured an ever-growing list of IP addresses using a Splunk filter to detect this signature. This Splunk data is automatically sent to the site's server where it is passed to an API that returns various ASN and WHOIS information. This data is then parsed and added to the site.
The main page of the site provides options for sorting and filtering the dataset. Each entry contains:
The Top ASN page returns the most active ASN for the given date range.
The Top Country page returns the most active country for the given date range.
Authenticated users are given the option to export the displayed data set as a CSV file for offline use. Information about the site and the Mirai-like botnet can be found on the about page and by following the Bad Packets twitter.
Troy's dataset for the site outgrew the Google Sheets document he had been using to store the data. His requirements were relatively straightforward: browse-able, searchable, exportable display of his data set and back-end functionality to support various administrative tasks. I implemented the following features to fulfill these requirements:
Troy's excellent work investigating botnets, crypto mining abuse and other cybercrime have made his sites a popular target for attack. For example, our first iteration of the site was hit with a DDOS attack and, as a result, taken offline by the VPS provider. The latest host provides DDOS protection. Typically, I would like to go into more detail about the operational environment, design and architecture of the web application, but I don't want to risk giving useful information to an attacker.