68

This is probably a massive noob question, but Google results aren’t being helpful and I couldn’t find something specific here.

I made this server that just hosts IRC, HTTP and SSH for some friends. I have done this sort of thing before, and to my knowledge everything was fine. But today, minutes after I turn boot up the server properly for the first time, and pretty much for the whole day until I noticed it tonight, I was getting brute-forced via SSH. They were checking from a whole bunch of different IP addresses, from businesses in places like China and Vietnam, to DigitalOcean’s address.

I had not shared the direct IP address with anyone, and the DNS had only been set up for a day or two. There is no way anybody outside of my friend circle (people I trust) would have known that the server existed, and nobody would have any reason to hack me.

So my question is, assuming it wasn’t leaked, how did these people get my IP address so quickly, and what would they seek to gain my taking control of my machine?

Peter Mortensen
  • 877
  • 5
  • 10
Architect
  • 691
  • 1
  • 4
  • 6
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/107107/discussion-on-question-by-architect-how-did-the-brute-forcers-get-my-ip-address). – Rory Alsop Apr 23 '20 at 19:03

4 Answers4

100

The IPv4 address range isn't that big.

A class A network (/8) has about 16 million hosts, and in theory there is 256 of them. As a result, the internet has about 4,294,966,784 hosts. Of course, this is an approximation.

Many address ranges are actually reserved (e.g. 127.0.0.0/8, 10.0.0.0/8), and others are actually one address that represent a NAT-ed internal network. But just judging from a naive back-of-the-envelope calculation, we can say it's somewhere in that ballpark.

What an attacker can do now is mass-scan one subnet for a particular service, such as SSH. Simply get a number of hosts (e.g. 32 hosts) and divide the target subnet evenly. Scan only for SSH hosts on port 22, and check which hosts reply.

An attacker can then either try to launch a brute force attack themselves, or they can sell that list of active hosts to someone else, who then attempts to attack you.

How long would it take to make such a list? Assuming that the attacker wants to scan a whole class A network (16 million hosts), with 32 hosts to scan, at roughly 100 hosts per second, we get a rough estimate of 90 minutes. Of course, time will vary, depending on the speed or the number of hosts, but it should be in that ballpark.

  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/107109/discussion-on-answer-by-mechmk1-how-did-the-brute-forcers-get-my-ip-address-so-q). – Rory Alsop Apr 23 '20 at 19:17
52

An IP address is nothing private. Nowadays it's possible to scan the entire IPv4 Internet within minutes. ZMAP, for example, is a tool that can be used for such scans. NMAP can be used on IP addresses to scan for open ports or services, like SSH.

There are also Online Databases like Shodan with huge lists of devices and services on the internet.

Melebius
  • 105
  • 3
Valentin
  • 651
  • 3
  • 9
17

I worked on an app that scanned a private network to create an inventory of devices. They wanted it expanded to scan an entire class B network at once. I was able to write a function to do it in a few minutes (5 if I recall correctly) by sending 10,000 "ping" packets at once and waiting for all the answers in parallel

This involved a tuning factor because they were all on the same network and anything faster hit too many errors, also it was before NIO and java had to sit on a thread for each outstanding packet--today on the internet you could probably do it much faster.

So 5 minutes * 255 (about a day) would be the time to it took ME to scan a class a--So you could scan the entire internet every day with a tiny botnet of 255 computers using my 20 year old code (Each bot scanning a class A every day). Realistically, you could probably scan the entire ipv4 space from one computer in a day including multiple retries on misses with that same code.

However, scanning all 65k ports of every device would take ~65,535 times longer.

This happened to me 20 years ago--but I figured out that they were only scanning for an open SSH port (Maybe telnet/ftp too, but even then I knew not to put THOSE on the internet!). I moved the SSH port to a 5-digit port number and was never bothered again.

Also, disable your SSH password and always use your public/private key, it's easier for you to use and much harder for others to hack.

Bill K
  • 407
  • 2
  • 6
  • 7
    You can scan a port in the entire IPv4 range in minutes, not days - see https://github.com/robertdavidgraham/masscan and similar optimized tools. – Peteris Apr 21 '20 at 12:59
  • 1
    @Peteris ... if you have a high-bandwidth connection, and a friendly ISP who will tell the people you're scanning to fuck off, when they complain, instead of disconnecting you. – user253751 Apr 23 '20 at 14:50
4

Well, regarding the time needed to scan whole IPv4 Internet - using tools like masscan it takes less than 5 minutes! It's also worth it to check your IP address on services like Shodan - that will give you a notion about what is already known about your server.

Honestly, chances are that the IP address was already used before. So it could result into "look they're back online, let's continue with our brute-force attack".

Kuncík
  • 41
  • 3