"Visualizing the invisible war happening on the internet — right now."
- The Story
- The Challenge
- Tech Stack & Architecture
- Computer Science Concepts Used
- How to Run the Project
- Future Improvements
- Acknowledgments
This project started during a late-night YouTube rabbit hole.
I was watching an IBM video explaining DDoS (Distributed Denial of Service) attacks — botnets, zombie machines, traffic floods, and how entire services can be knocked offline.
The explanations were clear, but abstract.
I kept thinking:
"What If we can see it all Live!"
That curiosity led to the idea of building a cyber-war room style visualization — a real-time, global, 3D map of ongoing cyber threats.
This project is the result.
The first assumption was naive:
"I'll just stream live attack data from the internet."
Reality hit quickly:
- Live attack data is highly sensitive — companies do not expose it publicly.
- Packet sniffing at scale requires massive infrastructure and permissions.
- Exposing real victim data would be unethical and illegal.
Instead of raw live traffic, I discovered the
SANS Internet Storm Center (ISC) Threat Feed.
SANS collects data from global honeypots and publishes:
- Top attacking IPs
- Attack counts
- Update intervals of a few minutes
This changed the engineering problem:
| Before | After |
|---|---|
| Live packet streaming | Periodic threat polling |
| Infinite data firehose | Controlled, ethical data source |
| Direct visualization | Simulated real-time flow |
The system follows a Producer–Consumer architecture.
- Node.js + Express — Central intelligence hub
- Axios — Polls the SANS ISC threat feed every 60 seconds
- GeoIP-Lite — Converts IPs to geographic coordinates (O(1) lookup)
- Socket.io — Real-time broadcasting to connected clients
📡 The backend collects, enriches, buffers, and streams threat intelligence.
- React.js — State management & live updates
- Globe.gl (Three.js / WebGL) — 3D Earth with animated attack vectors
Each arc represents:
- Source: Attacking IP (GeoIP-based)
- Destination: Simulated honeypot target
- Intensity: Derived from attack metrics
This project applies real engineering principles — not just visuals.
Problem:
The SANS API is REST-based, but the UI needs real-time updates.
Wrong approach:
Frontend polling every second → API bans + inefficiency.
Solution:
- Backend polls slowly (every 60 seconds)
- Backend pushes updates instantly via WebSockets
✔ Decoupled architecture
✔ Scalable
✔ API-friendly
Raw data gives numbers — not intent.
A heuristic model infers attack type:
| Attack Ratio (attacks : count) | Classification |
|---|---|
| ~1:1 | Port Scan / Reconnaissance |
| ~1:50+ | DDoS / Brute-force Flood |
This turns raw metrics into meaningful insight.
Raw IPs alone cannot be visualized.
ETL Pipeline:
- Extract — Parse IPs & metrics from JSON
- Transform — GeoIP lookup → Latitude & Longitude
- Load — Inject simulated honeypot targets and vectors
✔ Ethical
✔ Scalable
✔ Visually expressive
- Node.js (v16+ recommended)
- npm
cd server
npm install
node index.jsExpected output:
🚀 COMMAND CENTER ACTIVE
cd client
npm install
npm startOpen:
http://localhost:3000
- 🕰️ Historical timeline (attack playback)
- 🔊 Sound alerts for large-scale DDoS events
- 🧠 Clickable attack details (ports, protocol)
- 🚦 Global DEFCON-style threat indicator
- SANS Internet Storm Center (ISC) — Open threat intelligence
- Globe.gl — 3D visualization engine
- IBM — Inspiration for the project