Dashboard overview
The Shadowserver Dashboard presents high level statistics that reflect the main datasets that Shadowserver collects and shares through its daily activities in over 100 daily reports. The datasets allow for the identification of the exposed attack surface, vulnerabilities, misconfigurations, compromises of networks as well as observations of attacks. The data, shared in the form of reports, contains detailed IP level information concerning a particular network or constituency. The Shadowserver Dashboard does not allow for this level of granularity. Instead it presents high level statistics that reflect these activities. This allows insights into latest emerging threats, vulnerabilities, incidents providing situational awareness to the wider community while preserving the anonymity of any involved parties.
Sources and tags
Data presentation is organized around sources and tags. A source is essentially a data grouping of some form. The basic sources are honeypot
, population
, scan
, sinkhole
. Both population and scan are scan-based datasets with population being an exposure endpoint count without a vulnerability/security assessment. A 6
suffix represents IPv6 data (all entries without the suffix refer to IPv4 data).
Sources can have tags associated with them that provide additional context for the data being presented. For example, tags for scan
will include the actual different scan types (ie. services/protocols being scanned like telnet
, ftp
and rdp
). Tags for sinkhole
would reflect the actual malware families connecting to a sinkhole (ie. hosts infected by a malware family type like adload
, andromeda
and necurs
).
Tags provide additional insights on the data presented.
Additionally we also introduce additional source groupings to better reflect observations on vulnerable or compromised hosts - for example, http_vulnerable
or compromised_website
. These will typically contain tags that reflect specific CVE vulnerabilities, vendors or products affected or information about backdoors, webshells or implants seen. An example for http_vulnerable
would be citrix
or cve-2023-3519
.
Finally as we add more detections to our datasets we end up with more tags. This means that new source categories may appear to choose from. For example, even though snmp
is a tag present on source scan
, it is also featured as a source. This allows us to present more granular snmp scan results that allow for viewing of specific snmp scan results associated with a vulnerability like cve-2017-6736
.
Quick links to data categories: Left navigation bar
The datasets presented are collected through various large-scale collection methods including sinkholing, scanning and honeypots. These main categories of the datasets are shared on the left navigation bar, with each type of category symbolized by a different icon.
The goal is to enable quicker dives into particular source categories. For example:
-
Sinkholes - provides an overview of datasets grouped by source
sinkhole
. You can then view a particular sinkhole result by selecting a tag or group of tags. -
Scans - provides an overview of datasets grouped by source
scan
(this category contains scan results for services that have some kind of security issue associated with them, you can also view population scan results by selecting sourcepopulation
instead). You can then view a particular scan result by selecting a tag or group of tags. -
Honeypots - provides an overview of datasets grouped by source
honeypot
. You can then view a particular honeypot result by selecting a tag or group of tags. -
DDoS - provides an overview of datasets grouped by source
honeypot_ddos_amp
. These are amplification DDoS attacks seen by unique targets in a particular country/region. You can then view a particular amplification method used by selecting a tag or group of tags. -
ICS - provides an overview of datasets grouped by source
ics
(which are scan results of native Industrial Control Systems protocols). You can then view the native protocols used by selecting a tag or group of tags. -
Web CVEs - provides an overview of datasets grouped by
http_vulnerable
andexchange
. These are vulnerable web applications identified in our scans typically by CVE. You can view the CVEs or affected products by selecting a tag or group of tags.
The datasets can be broken down by country or country groupings, regions and continents.
Each dataset is also described in “About this data”.
Please note there are more datasets available other than the ones highlighted. For example, source beacon
will allow you to explore post-exploitation framework C2s we see in our scans, and source compromised_website
will allow you to explore compromised web endpoints seen in our scans.
Top navigation bar
The top navigation bar allows for various visualization options for data presentation, as well as for visualization of device identification and attack observation datasets.
General statistics
General statistics include the ability to visualize any source and tag by selecting:
- World map - a world map display showing selected sources and tags. Extra features include: ability to switch display to show most common tag per country per source, normalization by population, GDP, connect users etc. You can also select markers on the map to display values per country.
- Region map - a country level map display with countries split into regions and provinces.
- Comparison map - a comparison map of two countries.
- Time series - a chart showing source and tag combinations over time. Note that it allows for different forms of data groupings (not just by country).
- Visualization - offers various options of drilling down into the datasets, including averages of values over time. Allows for displaying data in the form of tables, bar charts, bubble diagrams and more.
IoT device statistics (device identification statistics)
This dataset and associated visualizations provide a daily snapshot of exposed endpoints grouped by exposed vendors and their products identified through our scans. Data is categorized by vendor, model and device type. These are identified through various means, including web page content, SSL/TLS certificates, banners displayed etc. The datasets contain population data only ie. no assessment is made of any vulnerabilities associated with the exposed endpoints (to find those, select sources such as for example http_vulnerable
under “General statistics” instead).
Similar visualization charts as in “General statistics” exist, with the difference being that instead of using sources and tags you can view (and group by) vendors, models and device types instead.
Attack statistics: Vulnerabilities
This dataset and associated visualizations provide a daily snapshot of attacks seen by our honeypot sensor network, with a focus on vulnerabilities used for exploitation. These include the ability to view products that are most frequently attacked and to explore how they are attacked (ie. by which exploited vulnerability, which may include particular CVE being exploited). You can also view charts by source of the attacks and destinations.
Similar visualization charts as in “General statistics” exist, with the difference being that instead of using sources and tags you can view (and group by) vendor, vulnerability as well as source and destination of the attacks.
An additional visualization category - Monitoring, has also been added:
This is an updated daily table of most common exploited vulnerabilities grouped by unique source IPs observed attacking (or attack attempts seen, if you select the connection attempts statistic option). Data is sourced from our honeypot sensor network. Data is grouped by exploited vulnerabilities. It also includes CISA Known Exploited Vulnerability mappings (including whether it is known to be exploited by a ransomware group) as well as whether the attack is against an IoT device rather than a server application.
By default the display shows the most common vulnerabilities exploited for the entire world, but you can also filter by particular country or grouping or display an anomaly table instead.
Attack statistics: Devices
This dataset and associated visualizations provide a daily snapshot of the types of attacking devices seen by our honeypot sensor network. Fingerprinting of these devices is done through our daily scans. The datasets allow for tracking of particular attack types, device vendors or models and can be filtered by country.
Similar charts as in “General statistics” exist, with the difference being that instead of using sources and tags you can view (and group by) attack type, device vendor or model instead.
An additional visualization category - monitoring, has also been added:
This is an updated daily table of most common attacking devices seen by unique source IPs observed attacking (or attack attempts seen, if you select the connection attempts statistic option). As in all datasets displayed in this category it is sourced from our honeypot sensor network. It is grouped by attack type seen, vendor and model (if available). We determine the attacking device by correlating IPs seen with the results of our daily device scan fingerprinting (see the “IoT device statistics” section).
By default the display shows the most common attacking devices (by source) seen attacking (this includes cases where we cannot identify a device or for example, only identify a vendor). You can choose to filter by particular country or grouping or display an anomaly table instead.