Visualization of an attack on a VOIP server

The Australian Honeypot Project is a group of volunteers who set up tantalizing decoy targets for cyber criminals. By carefully monitoring those honeypots, the group can gather data about the tactics and tools criminals use to attack real sites and servers. This video they made turns data in pictures to show what's happening during the early stages of an attack on a VOIP server.

Via Arikia Millikan


  1. I’m a simple man, with simple needs. Right now, I need to know exactly what I’m looking at.

  2. Kind of pretty. Not really pure data visualization though unless network traffic has suddenly been upgraded for some reason to simulate gravity and newtonian physics. Also Pachelbel’s Canon in D on classical guitar? Really? Can’t we get something a bit more suited to a hacking attempt? Yakety Sax perhaps?

  3. Looks cool and all, but I imagine this is just an odd way of visualizing an Nmap scan. Most hosts are routinely hit with scans that most consider “white-noise” of the internet. Every time the attacker with Nmap sends out some packets you see those little dots start to fall and the responses trigger the big dots.

    I don’t see how this visualizer is useful except to look cool to people who don’t understand it. It probably represents 1 or 2 Nmap commands. Am I missing something? I didn’t find an explanation.

  4. You pretty much echoed my thoughts there dagfooyo. Pretty, but what’s it mean, and what’s with that music?

  5. So a VOIP hacking attempt loos like buckets of big green balls being thrown into the air simultaneously with buckets of little red balls?

    Pretty useless “visualization”, as t doesn’t help to explain what’s going on at all.

  6. I kept waiting for just one tiny little red ball to get through, and then a smash cut to black-and-white footage of buildings being leveled by a nuclear explosion.

  7. You guys just don’t understand the internets… It’s pretty simple – it’s basically a series of tubes.

    Each server is accessed via a protective airlock and the packets of data have to shoot across the open space. That’s why cable modems are faster and more reliable than dialup. The packets are accellerated to a higher speed by all the bandwidth, thus allowing them to leap across the airlock with greater accuracy.

    From the looks of this example, these Hackers are working with some sort of weaponized salmon roe and the server admins are countering with some engineered wasabi rings.

    1. Oh, man! Can you damage your eyes by looking at the unplugged end of a cable-modem wire?

      I have stared directly into a data beam.

  8. Can anybody explain to me what this is supposed to represent? Do balls launch corresponding to packets being sent or received? Does the position of the balls represent anything meaningful? Does the collision of the balls represent anything? What does the funnel represent and why does it appear and then disappear?

    It looks like the balls launch on both sides near-simultaneously. This leads me to believe that “attacker” balls launching represents the time those packets arrive, and “honeypot” balls launching represents the time those packets were sent, but if that’s the case I can’t see how any of the rest of the video is meaningful unless the only thing it intends to communicate is that “there’s a lot of data in the tubes”.

  9. I like the pretty lights.

    Also, for those who haven’t seen it, every song is Pachelbel’s canon in D.

  10. The visualizer is called glTail.rb[0]. From the left side comes the honeypot responses. The green top most label is the aggregate of the blue labels. The right side is the attacker. What you’re watching here is a brute force dictionary attack. The attacker is sending lots of little requests (hence smaller balls) for dictionary list of extensions and is getting larger responses back for each request which all the same size because they’re all the same responses are ‘extension not found’.

    I’m pretty sure there’s little insight to be had by visualizing data this way.


    1. Ahhh. Thanks, solitaire. I think I got it.

      The reason the ‘good guy’ green and blue balls come out is because the ‘bad guy’ red and gray dots have requested some info from the ‘good guy’.

      So, the red and gray dots launch first – Then the green and blue balls launch in response.

      Therefore- When tons of the red and gray dots start shooting out, asking for tons of info, tons of the ‘good guy’ balls pour out responding to each request.

      I think I’m right about this, yes?

      note: I’m being serious about my questions on the topic. Talking about ‘good guy’ balls and blue balls is merely a silly benefit.

  11. So what happens next? If they find a valid extension how do they leverage that into free toll calls or whatever?

    1. Great question. Here’s something I prepared earlier:

      Predominately, they make cheap OS calls by selling calling cards, or dial into Premium rate numbers that they then collect on.


  12. Hi, thanks for the comments.

    I’m the author and thought I’d chime in with some background.
    The Honeynet project is a volunteer not-for-profit public good project. We study what the crooks are doing on the internet, with the end goal being to make the internet more secure to end users.
    The purpose of this piece was to tell a *story* in an engaging way (rather than a pie chart or a graph) and to make some impression on people who would never have thought about security, let alone VOIP security. I’m really happy with this strategy, based on the interest I’ve reached quiet a wide audience who liked it a lot.

    It is stylised, but based on real data. TBH I found the ball concept mesmerising, so thought – why not?… Its a mixture of Art, design and technology, so it helps if you look at it this way.

    Here is a little bit more background for those interested:

    Aesthetic overview
    This work is not directly targeted at an expert audience, so I warn don’t get caught up too much detail, it’s partly educational (and a little bit of fun) for lay people as well.
    The main goal is not to analyse the low level detail, but to give an impression as to:
    1) The extent/scale of a typical scan of a single IP, and what wider cesspool of the internet might look like.
    2) The notion of (good guy) fending off an attacker’s scan, and learning/sharing from it.
    – The piece is highly stylised, but based on real attack data from my own IP. I was experimenting with new, interesting, and topical data sets, and to play with some new techniques.
    – The balls on the right represent a bad guy attempting to crack an extension of the honeypot.
    – The balls on the left represent the honeypot’s response to the attack (Nice try, shine on you crazy diamond)
    – The attack is relentless and fast paced, and the volume of data from this one attack one on IP/port is really a drop in the ocean in terms of the wider internet.
    – The balls crash into each other and fight it out in the middle of the battlefield, and the good balls do better (not always..)

    Technical overview
    The essentials are:
    – VOIP servers are very common on the internet, and often they are implemented in insecure ways (eg with default, or poor passwords)
    – With highly automated and blindingly fast scripting tools, crooks scan the internet looking for these VOIP servers. When found, the tool cracks the passwords on the extensions.
    – Calls can then be made using these passwords.
    – These compromised extensions are then sold on the underground market, or used directly by the hacker.
    – Victim only notices something is wrong when the next phone bill arrives (1-2 month window). There are extraordinary high call volumes, mostly to overseas numbers, or to premium rate numbers which the crook collects from. I wrote about this here

    Collection of data
    The IP address is just a common garden variety home ADSL IP.
    The honeypot itself listens on UDP 5060 for SIP sessions. There are a few about, try , we (the honeynet project) built in a SIP module into it during the Google Summer Code last year.

    Lastly, I’m interested in hearing from others who have attempted to display security data in new ways, and for wide audiences.


  13. Author calls it “honeypot” project, when clearly the group call themselves “Honeynet”… Honeypot may have been a bit cooler, but let’s be accurate now huh?


    1. @#18: Dude, a honeypot trap is baiting someone into thinking they are gonna get something awesome (in this case free access to VOIP) when they are really just being led into a trap.

      Honeynet is the name of the project. Honeynet is running honeypot operations. Got it?

      This is truly interesting to watch, but I’m gonna add a +1 to questions about the soundtrack. Next time you’re gonna release a vid, crowd source a tune via CC – there is a ton of interesting CC music out there. has a good selection of artists who release their stuff mostly via CC licence. Here’s a few tracks that would suit:

      Russian electronica:
      French hiphop:
      Swedish jazz-metal:
      German bleepy 8-bit electro:

  14. “TBH I found the ball concept mesmerising, so thought – why not?”
    Chartjunk. Take some responsibility and render the actual data, not some invented visual that you think looks cool.

  15. With IPv6 just round the corner (down the road, round another corner and down another road perhaps) and the number of possible IP addresses at around 2^128, would this random scanning of IP addresses for possible targets still be feasible?

Comments are closed.