Skip to content
sudodudes_
[root@sudodudes ~]# blog

The live threat map: real attacks on this site, GDPR-compliant

#threat-intel #waf #gdpr #observability

The threat dashboard includes a world map of attacks against this very website - not stock imagery, not a vendor’s marketing feed. Every data point is a request our own edge actually blocked. This post walks through the pipeline, including the part most “live attack map” pages skip: doing it without violating the GDPR.

The pipeline

Every request to sudodudes.com passes through our edge proxy with an OWASP Core Rule Set WAF in front of the application. Blocked requests - SQL injection probes, path traversal attempts, scanner fingerprints, rate-limit violations - are logged to our self-hosted log aggregation stack, where they are retained for 30 days for security operations (our legal basis: Art. 6(1)(f) GDPR, legitimate interest in securing the service).

Once a day, an aggregation job:

  1. queries the log store for blocked requests,
  2. resolves each source IP to a country using a locally-bundled GeoIP database (no lookup service is called - the database file sits on our disk),
  3. counts blocks per country and per rule category,
  4. publishes only those aggregate counts as a static JSON file.

The map in your browser renders that JSON onto a bundled SVG world map. Your browser makes no third-party requests, and the raw logs never leave our infrastructure.

The GDPR part most attack maps get wrong

IP addresses are personal data (CJEU, C-582/14 Breyer). A map that publishes individual attack events with source IPs - or even city-level precision plus timestamps - is publishing personal data of (admittedly hostile) people, and needs a legal basis for that publication.

Country-level aggregate counts are different: “1,742 blocked requests from country X last month” cannot be related back to any individual. The personal-data processing stops at our log store, under the same 30-day retention and legitimate-interest basis as ordinary security logging. What gets published is anonymous statistics - out of GDPR scope entirely.

That distinction - process internally under legitimate interest, publish only anonymized aggregates - is the same pattern we recommend to clients for security telemetry, abuse dashboards, and status pages.

Why bother?

Because “we take security seriously” is a sentence, and a live view of our own perimeter is evidence. The internet’s background radiation - constant scanning, credential stuffing, exploit spraying - hits every public endpoint, including ours. Showing it, honestly and compliantly, is the story: this is what the baseline threat environment looks like, and this is how little of it should ever reach your application.

[root@sudodudes ~]# subscribe

Get new posts by email

Security engineering, compliance without theatre, open-source threat intel. No tracking, no forwarding your address, unsubscribe in one click.

By subscribing you consent to receiving our newsletter at this address (GDPR Art. 6(1)(a)). We store your email, the consent timestamp, and this policy version - nothing else. Withdraw anytime via the unsubscribe link in every email. Details: privacy policy.