Appears to be CPU-heavy sometimes in the browser (spiked one of my CPUs to 100%), so could be an opportunity for optimization later.
I've often wanted to show my clients how risky their brand-new VPS is without proper firewall configuration. Your Knock-Knock tool would be a great way of helping them visualize that.
Very nice app; great job!
Yep, with ~80 knocks coming in per second and two 3D globe visualizations, it does make a lot of use of the browser. That said, it runs smoothly even on an iPhone browser. The server scales really well (longtime load average of 0.05 on a $6.75/year VPS :-).
Thanks!
djkurlander•1h ago
Watch bots trying to break into my honeypots, gain access to my files, place expensive VOIP calls, attack my HTTP server, and relay SPAM email. The new knock-knock.net shows you SSH, Telnet, FTP, RDP, SMB, SIP, HTTP, and SMTP attacks in real-time: where they are coming from (check out the spinning globe heat-map!), the most common usernames and passwords, info on why some of those usernames and passwords are being used, the worst offending IPs, and of course the ISP wall of shame. View the stats for the protocols together, or filter by protocol. All presented in what I hope is a very cool UI.
The new knock-knock.net aggregates attack info from multiple servers around the world and presents the info in one place, hence you'll see attacks come in at a furious pace, and may want to use the pause button (or space bar). Turning on audio (the speaker icon) lets you hear what some have called the "background radiation of the internet" on a virtual geiger counter. This is intended to be a fun, educational site, not a serious cybersecurity tool.
A few random, interesting things:
1) The locations of the bots doing the various protocol attacks differ pretty dramatically. For example, Romania, Poland, and the Netherlands are currently big for SSH bots, India leads for SMB, China is tops for RDP, and France for SIP, but the US is #1 overall.
2) SMTP attempts are usually sentry emails. SMTP bots first try to send an email to themselves so they can tell the server is a working relay. Notice that nearly all of the emails include my IP address in the subject or body (it appears here redacted as <target-ip>) so they can tell the relay is operative.
3) The Internet has been blocked for nearly all of the citizens of Iran since the January protests. However, I found it surprising that attacks still originate from servers there.
4) RDP and SIP bots will connect to a server and spam it practically non-stop. I had to set up an autoban for these protocols at 2,000 knocks - much lower than the 10,000 knock ban set for the other protocols.
5) As of this posting, we're still waiting for knocks from several African countries. They tend to have fewer internet servers than the rest of the world. However, we did get knocks from Jersey (the island, not the state or cow), Nauru (~10K people), and Monaco (~2 km^2). Surprising that we're still waiting for EU member Slovenia!
6) We've even seen knocks from space! Well from ISP SpaceX/Starlink anyway. You would think this would be expensive, but bots are often replicated on machines they infect, and they aren't paying the bills.
7) The worst offending ISP is ironically named "Unmanaged Ltd." Interestingly, it was previously DigitalOcean, but shortly after v1 was posted to HN and r/digital_ocean, and user comments skewered that ISP, their bot attacks dropped over 99%! Coincidence? Maybe. Maybe not.
Works great on desktop or mobile — try it out and let me know what you think. Happy to answer questions and take suggestions.
For a tutorial, see https://knock-knock.net/summary.
To see the original v1 knock-knock.net (collecting data for 90 days), visit: https://v1.knock-knock.net.
If the aggregated v2 site is too fast for you, visit a single feeder server (e.g. https://la5.knock-knock.net).
The source lives at https://github.com/djkurlander/knock-knock.