← Lab
Lab · Instrument 01

Live global attack traffic

The internet is under constant, automated attack — scanners and bots probing every machine they can reach, around the clock. This shows which services are taking the most fire right now, live, and what each of those attacks usually is.

How it works

The data comes from the SANS Internet Storm Center — a worldwide network of honeypots, decoy machines deliberately exposed to the internet to attract attackers. Every connection they receive is unsolicited, so it’s a clean measure of background attack activity: no real users, just probes. The panel ranks the ports — the numbered doors into a machine, each tied to a service — taking the most hits today, and names the attack each port typically sees, from SSH password brute-forcing to IoT-botnet recruitment.

The two counters put a number on it. Attacks today is a live estimate that carries the network’s daily total forward at the observed rate between the source’s periodic updates; since you opened this is the same figure measured from your arrival, so you can watch it climb in real time. The threat level mirrors the ISC’s global “Infocon” status. Everything runs in your browser against a free, public, no-key API — this is the kind of signal I read every day in security operations, which is why I wanted a clean live window onto it.