How are servers found on the internet that have no name registration?
I don't know, if people have this problem. Recently I saw a video of a person talking about it in youtube, and I found myself related to it. It seems that when you set up a server on the internet you very rapidly you start getting ssh dictionary attacks, even though you have a dynamic ip assignment and no name registration. I've tried in the past to do a network lookup for my subnet internet provider to see if I can see other computers, but it seems that the network provider blocks those messages.
So I'm curious how are hostile users of the internet finding servers so fast? If anyone can bring some light to this problem will be appreciated. Regards |
I guess that is just a more or less random try or scanning. Sometimes successful, sometimes not.
|
Computing power has caught up with all that: It's quite affordable nowadays to fire up a pool of servers, AWS for example, and check each and ever port on every last IPv4 address in a matter of hours. The same can be said for the known IPv6 space (the ranges in actual use).
Here are two interesting links on that topic, one old, one new: https://census2012.sourceforge.net/paper.html https://www.shodan.io/ However, even before 'cloud' services hit the market, nefarious interests could pool compromised Windows servers and desktops for that task. |
People use scanner tools that don't care about the name. They just scan entire netblocks for a port, say 22, then record that. This data is then passed on to another tool. nmap can do this. The ip6 address space is much quieter (at the moment).
|
COMCAST (Xfinity) does network scanning on their subnets, and some threat actors do as well. My average time between getting a new device on the network and seeing dictionary attack activity averages right about ten minutes. (Some days as little as a minute or two, some days nearly half an hour.)
Never assume that name services can make you safe, they only make identifying nodes by name more convenient for PEOPLE. The hardware doesn't care, the criminals do not care. |
Your PC probably has a private/non-routable/RFC1918 IP address, DHCP from ISP router. This might help:
https://security.stackexchange.com/q...et-through-nat |
Put wireshark on the wan side and you will see a constant attack stream.
|
I agree with the others. The most likely culprit is bad actors using random port scans.
If you have not done so, you may wish to install fail2ban. |
All times are GMT -5. The time now is 09:53 AM. |