Pros and cons of visualizing firewall activity

This post appeared originally in our sysadvent series and has been moved here following the discontinuation of the sysadvent microsite

For some time now, I’ve been graphing all unsolicited network traffic destined for my network. For instance, it’s quite useful for detecting slow scans, which will show up as the diagonally aligned green scatter points in this plot (click to zoom):

Slow_portscan
Slow portscan, from high ports to low ports.

Other scans and probes often happen faster, when the attacker isn’t much concerned about being detected. These will appear in the plot as a lot of vertically aligned scatter points. In the plot shown below, the attackers have scanned a limited set of ports for about 30 minutes.

Fast_portscan
A fast portscan will appear as a vertical line.

Backfire time

After writing a previous blog article about the plots as well as discussing the setup with my colleagues, and even showing what can happen with such a feature, there was really no reason to act surprised when weird patterns started to appear in the firewall plots.

The first synchronized port scan resulted in a chicken. Because of the logarithmic scale of the plot, the attacksdrawings will have higher precision when aiming for the high ports.

Chicken
No egg, though. Now we know for sure

Then after a few weeks of just the normal hostile activity and a few not-so-successful creative port scans, a very well defined ant suddenly appeared.

Antz
Time for some debugging.

In the firewall plot, TCP connections will be plotted as green and UDP connections will be plotted as light blue. After a few poorly disguised questions regarding whether I was plotting other protocols and, if so, which colors they would be, it became evident that some new plan was being hatched. And, lo and behold:

Ghosts
So this is what ghosts in the machine look like.

After these creative scanning took place, I implemented support for graphing rejected/blocked IPv6 activity in other colours: IPv6/TCP in red and IPv6/UDP in white. Practical use aside, my feeling that a colleague would take up this as a challenge was correct:

Xmas tree fireplot
Exploit in 4 colours

Bjørn Ruberg

Senior Systems Consultant at Redpill Linpro

With long experience as both a network security consultant and system administrator, Bjørn is one of those guys we go to when we need forensics to be done on a potentially compromised system. He's also good at dealing with tailored DDoS-attacks on our customers, and always has a trick up his sleeve.

More Posts

Connecting AI to the Real World with MCP

Large language models are good at reasoning over text. They are not good at navigating the messy reality of APIs.

Ask a model to “call this REST endpoint,” and you’re implicitly asking it to:

  • Understand undocumented conventions.
  • Guess authentication flows.
  • Parse (often lacking) documentation.
  • Handle inconsistent error formats.
  • Discover available capabilities without a formal contract.

That works occasionally. It does not scale.

As soon as you want a model to do something real like scan a network, query ... [continue reading]

Sequential Tekton Pipeline Runs

Published on October 22, 2025

Lombok – avoid getting burned by the boilerplate

Published on September 16, 2025