I've noticed a change in the traffic logs on my firewall over the past few weeks. Previously, most of the pings and port scans were coming from Asian and Eastern European countries. However, recently, the majority of the traffic seems to be from the US. I'm located in Europe, and I'm curious if anyone else has experienced a similar shift in their firewall activity. What could be causing this change?
5 Answers
In my experience running a network of honeypots, the U.S. traffic is typically dominant. Other countries might pop up occasionally, but overall, U.S. sources lead the attacks. It's interesting how these trends shift occasionally, though!
Do people really check their firewall logs regularly? I usually just glance at them during alerts. But yeah, traffic patterns can really change, especially with VPN usage making it hard to determine actual locations.
Totally! Looking closely at logs is a good way to get management to allocate more funds towards security improvements.
It's not surprising at all. Many networks block traffic from specific countries like China or Russia. That means traffic from the U.S. is more likely to get through. Plus, with so many services in the States, someone could easily rent an EC2 instance and launch attacks without a long-term presence.
I mostly see traffic from Asian and African countries on my end. It's interesting to track the kinds of dictionary attacks, especially the odd login attempts from rogue usernames like 'ceo' and 'hr'. It's all part of the game!
Instead of just blocking suspicious traffic, it could be better to drop those packets altogether. Remember, low-cost VPNs can mask where traffic comes from. A lot of these attackers could be launching from rented server spaces in places like AWS or Azure.
It got noisy recently, so I had to take a closer look at mine!