Internet Malicious Activity Maps

We have built a number of different maps of malicious activity seen on the Internet from our various data donors and sources. These maps are updated daily, showing summaries of malicious activity seen over various recent periods of time. Intensity on the maps is shown in "heatmap" style, with the color gradient looking roughly as follows:

Less Malicious Activity Color Gradient More Malicious Activity

World Map

The first map shows one day's worth of malicious activity, plotted on a world map. Note that IP geolocation techniques are not perfect, so these locations are only approximations. Additionally, the real individuals behind the malicious activity represented could be far away from any of the displayed locations, controlling these compromised systems remotely.

This map is also available in movie form - you can download it in one of the following formats:

The movie versions are updated every day along with the image below.

Recent malicious activity, world map

Thanks to NASA for the world map base image.

Hilbert Map

The next map below represents a summary of malicious activity seen on the Internet over the past 30 days combined. The IP space is mapped into this image using a Hilbert Curve. The numbers in the upper left-hand corner of each block of the map indicate the first octet of the IP addresses represented in that section, so, for example, the block labeled "24" represents all of the IP addresses in the netblock.

Internet Malicious Activity Map - Click for full version

Blocks with orange numbers and cross-hatching are full /8 networks that are bogons, unallocated space which should never be seen on the Internet. Non-bogon blocks blocks are displayed with red numbers.

The map below is a half-size version to avoid breaking the layout of the web page and making it impossible to read - click on the image to open the full-sized version of the map in a new browser window/tab.

Each individual pixel of the full map represents 4096 IP addresses. The coloration of the map is scaled in "heatmap" style - if no IP addresses from the block represented by a given pixel were found in our dataset of malicious activity, it will remain black. If any addresses were found, the pixel will be shaded based on the number, starting with blue, transitioning through purple, green, yellow, orange, red, and, finally, to white for the largest concentrations of malicious activity.

Credit for the idea of this mapping concept goes to xkcd, and their Map of the Internet. The Measurement Factory has also created similar visualizations of differing data sets using this technique.

Thanks and credit for the data that backs all of these maps goes out to a wide range of donors and supporters of Team Cymru, and the Internet community for their support of our efforts to keep their networks more safe and secure.