Dashboard overview

The Shadowserver Dashboard presents high level statistics that reflect the main datasets that Shadowserver collects and shares through its daily activities in over 100 daily reports. The datasets allow for the identification of the exposed attack surface, vulnerabilities, misconfigurations, compromises of networks as well as observations of attacks. The data, shared in the form of reports, contains detailed IP level information concerning a particular network or constituency. The Shadowserver Dashboard does not allow for this level of granularity. Instead it presents high level statistics that reflect these activities. This allows insights into latest emerging threats, vulnerabilities, incidents providing situational awareness to the wider community while preserving the anonymity of any involved parties.

Sources and tags

Data presentation is organized around sources and tags. A source is essentially a data grouping of some form. The basic sources are honeypot, population, scan, sinkhole. Both population and scan are scan-based datasets with population being an exposure endpoint count without a vulnerability/security assessment. A 6 suffix represents IPv6 data (all entries without the suffix refer to IPv4 data).

Sources can have tags associated with them that provide additional context for the data being presented. For example, tags for scan will include the actual different scan types (ie. services/protocols being scanned like telnet, ftp and rdp). Tags for sinkhole would reflect the actual malware families connecting to a sinkhole (ie. hosts infected by a malware family type like adload, andromeda and necurs).

Tags provide additional insights on the data presented.

Additionally we also introduce additional source groupings to better reflect observations on vulnerable or compromised hosts - for example, http_vulnerable or compromised_website. These will typically contain tags that reflect specific CVE vulnerabilities, vendors or products affected or information about backdoors, webshells or implants seen. An example for http_vulnerable would be citrix or cve-2023-3519.

Finally as we add more detections to our datasets we end up with more tags. This means that new source categories may appear to choose from. For example, even though snmp is a tag present on source scan, it is also featured as a source. This allows us to present more granular snmp scan results that allow for viewing of specific snmp scan results associated with a vulnerability like cve-2017-6736.

Quick links to data categories: Left navigation bar

The datasets presented are collected through various large-scale collection methods including sinkholing, scanning and honeypots. These main categories of the datasets are shared on the left navigation bar, with each type of category symbolized by a different icon.

The goal is to enable quicker dives into particular source categories. For example:

  • Sinkholes - provides an overview of datasets grouped by source sinkhole. You can then view a particular sinkhole result by selecting a tag or group of tags.
  • Scans - provides an overview of datasets grouped by source scan (this category contains scan results for services that have some kind of security issue associated with them, you can also view population scan results by selecting source population instead). You can then view a particular scan result by selecting a tag or group of tags.
  • Honeypots - provides an overview of datasets grouped by source honeypot. You can then view a particular honeypot result by selecting a tag or group of tags.
  • DDoS - provides an overview of datasets grouped by source honeypot_ddos_amp. These are amplification DDoS attacks seen by unique targets in a particular country/region. You can then view a particular amplification method used by selecting a tag or group of tags.
  • ICS - provides an overview of datasets grouped by source ics (which are scan results of native Industrial Control Systems protocols). You can then view the native protocols used by selecting a tag or group of tags.
  • Web CVEs - provides an overview of datasets grouped by http_vulnerable and exchange. These are vulnerable web applications identified in our scans typically by CVE. You can view the CVEs or affected products by selecting a tag or group of tags.

The datasets can be broken down by country or country groupings, regions and continents.

Each dataset is also described in “About this data”.

Please note there are more datasets available other than the ones highlighted. For example, source beacon will allow you to explore post-exploitation framework C2s we see in our scans, and source compromised_website will allow you to explore compromised web endpoints seen in our scans.

Top navigation bar

The top navigation bar allows for various visualization options for data presentation, as well as for visualization of device identification and attack observation datasets.

Statistik umum

General statistics include the ability to visualize any source and tag by selecting:

  • World map - a world map display showing selected sources and tags. Extra features include: ability to switch display to show most common tag per country per source, normalization by population, GDP, connect users etc. You can also select markers on the map to display values per country.
  • Region map - a country level map display with countries split into regions and provinces.
  • Comparison map - a comparison map of two countries.
  • Time series - a chart showing source and tag combinations over time. Note that it allows for different forms of data groupings (not just by country).
  • Visualization - offers various options of drilling down into the datasets, including averages of values over time. Allows for displaying data in the form of tables, bar charts, bubble diagrams and more.

IoT device statistics (device identification statistics)

This dataset and associated visualizations provide a daily snapshot of exposed endpoints grouped by exposed vendors and their products identified through our scans. Data is categorized by vendor, model and device type. These are identified through various means, including web page content, SSL/TLS certificates, banners displayed etc. The datasets contain population data only ie. no assessment is made of any vulnerabilities associated with the exposed endpoints (to find those, select sources such as for example http_vulnerable under “General statistics” instead).

Similar visualization charts as in “General statistics” exist, with the difference being that instead of using sources and tags you can view (and group by) vendors, models and device types instead.

Attack statistics: Vulnerabilities

This dataset and associated visualizations provide a daily snapshot of attacks seen by our honeypot sensor network, with a focus on vulnerabilities used for exploitation. These include the ability to view products that are most frequently attacked and to explore how they are attacked (ie. by which exploited vulnerability, which may include particular CVE being exploited). You can also view charts by source of the attacks and destinations.

Similar visualization charts as in “General statistics” exist, with the difference being that instead of using sources and tags you can view (and group by) vendor, vulnerability as well as source and destination of the attacks.

An additional visualization category - Monitoring, has also been added:

This is an updated daily table of most common exploited vulnerabilities grouped by unique source IPs observed attacking (or attack attempts seen, if you select the connection attempts statistic option). Data is sourced from our honeypot sensor network. Data is grouped by exploited vulnerabilities. It also includes CISA Known Exploited Vulnerability mappings (including whether it is known to be exploited by a ransomware group) as well as whether the attack is against an IoT device rather than a server application.

By default the display shows the most common vulnerabilities exploited for the entire world, but you can also filter by particular country or grouping or display an anomaly table instead.

Attack statistics: Devices

This dataset and associated visualizations provide a daily snapshot of the types of attacking devices seen by our honeypot sensor network. Fingerprinting of these devices is done through our daily scans. The datasets allow for tracking of particular attack types, device vendors or models and can be filtered by country.

Similar charts as in “General statistics” exist, with the difference being that instead of using sources and tags you can view (and group by) attack type, device vendor or model instead.

An additional visualization category - monitoring, has also been added:

This is an updated daily table of most common attacking devices seen by unique source IPs observed attacking (or attack attempts seen, if you select the connection attempts statistic option). As in all datasets displayed in this category it is sourced from our honeypot sensor network. It is grouped by attack type seen, vendor and model (if available). We determine the attacking device by correlating IPs seen with the results of our daily device scan fingerprinting (see the “IoT device statistics” section).

By default the display shows the most common attacking devices (by source) seen attacking (this includes cases where we cannot identify a device or for example, only identify a vendor). You can choose to filter by particular country or grouping or display an anomaly table instead.

Pembangunan Papan Pemuka Shadowserver dibiayai oleh UK FCDO. Statistik cap jari peranti IoT dan statistik serangan honeypot yang dibiayai bersama oleh Connecting Europe Facility of the European Union (EU CEF VARIoT project).

Kami ingin mengucapkan terima kasih kepada semua rakan kongsi kami yang sudi menyumbang ke arah data yang digunakan dalam Papan Pemuka Shadowserver, termasuk (mengikut abjad) APNIC Community Feeds, CISPA, if-is.net, Kryptos Logic, SecurityScorecard, Yokohama National University dan mereka yang memilih untuk kekal tanpa nama.

Shadowserver menggunakan kuki untuk mengumpulkan analisis. Ini membolehkan kami mengukur cara tapak web digunakan dan meningkatkan pengalaman untuk pengguna kami. Untuk mendapatkan maklumat lanjut tentang kuki dan cara Shadowserver menggunakannya, lihat privacy policy kami. Kami memerlukan persetujuan anda untuk menggunakan kuki dengan cara ini pada peranti anda.