A simple experiment you can do is buy a server, set up a website with nothing on it, then look at the access logs. All day, every day, there are random systems just blasting vulnerabilities at every device on the internet. Analysts call it "background noise", executives call it "cyber attacks". - ThreadSky

malwaretech.com • 79 days ago

A simple experiment you can do is buy a server, set up a website with nothing on it, then look at the access logs. All day, every day, there are random systems just blasting vulnerabilities at every device on the internet. Analysts call it "background noise", executives call it "cyber attacks".

Comments

jobst-schmalenbach.bsky.social•79 days ago

Humans are opportunists.
That's all.

pluggedinn.bsky.social•79 days ago

This reminds me of my teenage years when I was experimenting on my LAMP web “server” (a Pentium 4 with 512mb RAM). At that time I was getting weird requests from random IPs. I thought they were actual visitors with very old browsers 😂

mkolanda.bsky.social•79 days ago

Saw it every day on sites I managed. Not empty sites but minute not Amazon. Thousands of attacks every day. We had security but any weak site on a shared server could open the door. Constant surveillance.

feignamerican.bsky.social•78 days ago

So so interesting.

proxsea.bsky.social•79 days ago

I confirm, many years ago I got my first VPS on DO, I checked the logs and found bots trying luck with the most common auth endpoints, like /wp-login/ or just /login/, several times a day, port scanning was also common. It really broadened my POV about cybersecurity.

tfox.bsky.social•78 days ago

I'm comforted that the premium we pay for net-connected devices subsidizes the work of criminals.

orangepapers.bsky.social•78 days ago

📌

bourne2learn.bsky.social•79 days ago

Yep, I don't have Wordpress on any of my sites but the logs are full of 404s to wp-login.php and xmlrpc.php and similar.

kageneko.bsky.social•78 days ago

It’s nice to feed those into fail2ban, and gradually slow down the noise.

bourne2learn.bsky.social•78 days ago

Thanks for the tip. I actually rolled my own blocker that targets the multiple 404s cases, but I'll check out Fail2Ban.

kageneko.bsky.social•78 days ago

Fail2ban is The tool for trolling logs for authentication failures and access attempts. It’s been around for quite a while, and is stable.
I first put it in to look after SSH.

thathumbleconsumer.bsky.social•78 days ago

Same, I get views in china, russia, post-soviet countries and they're usually bots of various types. Like the ones that like to attempt to comment on my blog. Lol they're not getting through because I have to pre-approve each comment.

mollita.bsky.social•79 days ago

📌

purplevh80.bsky.social•79 days ago

Interesting. I did not know that.

mav.codes•79 days ago

If you're using ipv4 ;) Sometimes I wish we were all ipv6 already, if for no other reason than to vastly cut down on automated exploits.

but if your domain gets enough traction, caught in some public cert registry, etc you can still expect to get scanned of course.

olivierforget.net•78 days ago

"caught in a public cert registry" ...like anybody who uses letsencrypt or similar. Which is like, everybody. 😭😭

emi.ly•79 days ago

I came here to say this 😂

wyotriumphrider.bsky.social•79 days ago

Here's a free Windows 11 Apache server
https://sourceforge.net/projects/wampserver/
Works great! And you are right about the noise.

darkpsimystic.bsky.social•78 days ago

I've had to explain this multiple times to IT managers and Executives (some of whom claim to understand 'Security'). They just don't understand how prolific and available automated tools are for those who like to spray and pray at everything. Someday, they'll all see it as background noise.

bacajo.bsky.social•78 days ago

This means that when you host, you pay for the bandwidth of all the bogus traffic as well. At least some geo blocking is necessary these days, that's for sure.

just-michelle.bsky.social•79 days ago

I did not know any of this, at least the parts I understood. Please let me know if I still got the main point-

We always need to do better about our cyber security, because they never stop coming for us?

wallofguitars.bsky.social•79 days ago

They have to get lucky once, you have to stay lucky all the time.

just-michelle.bsky.social•79 days ago

Thanks.

rebeccameadows.bsky.social•79 days ago

You don't even need a web server to see this. If you have a Microsoft or Google account, check the access attempts in your account settings!

just-michelle.bsky.social•79 days ago

Thanks, always appreciate the practical. Just recently had to download several google apps for a volunteer project. Managed to mostly avoid them before, after hearing how porous their walls can be.

dalekchap.bsky.social•79 days ago

It’s been happening for as long as I can remember, more than 10 years at least, that something is trying to wander in. Majority of ip’s when I last looked were from China.

sutur.cyberdelia.party•79 days ago

I think you mean “sophisticated cyber attacks from a nation state actor”. Gotta make sure they get their full insurance payout. 🥴🥴😬

whosagrumpybear.bsky.social•79 days ago

oh dang... Google probably has me marked as a terrorist since I constantly run PingPlotter traceroutes to identify packet loss in my ISP 😬

alexduba.bsky.social•79 days ago

I can say background noise is actually quite a loud noise! Millions of malicious connections a month, login bruteforce campaigns, scans, blind vuln attempts, etc.

Some of originators call themselves "legitimate security scanners", but it's (with very few exceptions) BS.

justshowkat.bsky.social•79 days ago

I just had a burst of incoming traffic on my server just yesterday. I freaked out, i thought my site was under attacj! then did some research and found out that it’s happening to everyone!

Like WTH!

houninym.bsky.social•79 days ago

It's interesting to look up where the source IPs of the 'noise' comes from. Having done so, certain countries are very much over represented, so it's not completely random 'noise' of nerds messing about. IMHO the usual suspects are very much over represented.

ronellonline.bsky.social•79 days ago

You say it like we know how to do any of that! 😅

mdunc.bsky.social•79 days ago

A company I work for wants reports on all these driveby "attacks" and expects me to generate alerts for them and documented action taken. I'll never sleep or get any other work done. I set up a WAF to block them, but they still want alerts and tickets created when they happen.

alistarr.net•79 days ago

Look at the bright side: add it to your "shit I did this period" list and use it to provide extra job security.

thisisjeffsnow.com•79 days ago

Interesting how the frequency and volume stays consistent even with aggressive banning of addresses.

djumbi.bsky.social•79 days ago

Cmon, we know china has been scanning every port at every address since like 99
That’s ignoring nsa/ the poms/ everyone else and actual non state actors

rhonddaoutlaws.com•79 days ago

The poms

mr-gm.bsky.social•78 days ago

That's some brilliant alt text!

dell-adams.bsky.social•79 days ago

Wouldn't vulnerabilities be what the devices themselves have or lack, that these messages would take advantage of?

anthonyscardina.com•79 days ago

Yep! I think he meant "blasting exploits"

dell-adams.bsky.social•79 days ago

Okay, I'll stop nitpicking now

thievingcat.bsky.social•79 days ago

So true. Ports 80, 21 and 25 are legit for honeypots.

olgraymaher.bsky.social•79 days ago

📌

midsi.bsky.social•79 days ago

Can we not trace them and shut them down somehow?

datsandwitch.bsky.social•79 days ago

Technically, yes. You can observe the source IP, and a governmental agency can demand records from that IP's service provider to learn the source. Almost always, it will just be another infected host.

You can keep tracing, but it's often a large chain of hosts spread across international borders.

datsandwitch.bsky.social•79 days ago

This is why agencies tend to only focus on the REALLY bad criminals (or the easy ones) because it'll be worth the effort to find the needle in the haystack.

Investigating a botnet is essentially a juice that's not worth the squeeze.

midsi.bsky.social•79 days ago

Ahg it just seems like such a waste of resources and electricity more than anything.

datsandwitch.bsky.social•79 days ago

Absolutely is! The best thing we can do for these kinds of attacks is update our software frequently and utilize a firewall.

Luckily, these attacks leave a VERY large trail, so they're very easy to detect!

verityplayer.bsky.social•79 days ago

This is a bit like being female and below the age of about 50.

ballulah.bsky.social•79 days ago

I think Giselle Pelicot might disagree with the age limit …..

verityplayer.bsky.social•78 days ago

Uh yes good point.

manplow.bsky.social•79 days ago

So would the many victims of SA that are 60 and over. Serial r*pists have specifically targeted elderly women bc they're "easier." Many cases of elder abuse includes r*pe and unfortunately survivors have fewer resources for support because folks think sexual assault is a young woman's worry. 😒

catzies.bsky.social•78 days ago

Thank you for my semi periodic reminder that I will never ever ever date again.

edn2z.bsky.social•79 days ago

When you're trying to defend the infosec budget request.....

loadnabox.bsky.social•79 days ago

Before I set up port knocking at home I would log all intrusion attempts

Hundreds of port scans every day

When they discovered an open port 3000 login attempts per hour

Every hacker everywhere is constantly looking to gain access

nyebodnye.bsky.social•79 days ago

Been there, done that. Now I just redirect my domain to https://Slashdot.org

cbpunk.bsky.social•78 days ago

We call them”drive-by” attacks

thedevlinb.bsky.social•79 days ago

I got a cable modem back in 1999 and I could watch port scans happen on real time because my hub lights would flash. I detects a few successful intrusions when I saw sustained network activity on the hub lights. This was before every application was chatty over the network all the time!

fourmoyle.bsky.social•78 days ago

📌

shatter.bsky.social•79 days ago

Back a good 15 years when I was spinning up dsl/cable modems for site public access (static IP blocks) , as soon as I dropped a fire wall on it the last time gs would light up with ports scans and door knocking.

Usually china

Can't imagine how bad it is now.

mstinkerson.bsky.social•79 days ago

One good way to foil the attacks (or at least really piss off the attackers) is to have some randomized content in every page - it can even be in a hidden div. Most attacks watch for changes in the HTML as GET params are varied - having the HTML vary on every request makes their job much harder.

mstinkerson.bsky.social•79 days ago

Yup. It's mostly spammers, script kiddies looking for somewhere to host pirated crap, or people trying to recruit machines for their botnets (mostly Russian mafia). The most common attacks I've seen try to hit Wordpress URLs even though there are WP installations on the server.

uglywebsites.bsky.social•79 days ago

It's unbelievable. The volume of all that traffic.
Some take the buckshot approach, they'll try to exploit, for example, a Wordpress bug without bothering to check Wordpress is set up.

jasonagouris.bsky.social•79 days ago

we get tons of WP-oriented sniffers and we've installed WP once ever years ago on a completely different subnet. These things aren't particularly intelligent, just a very big array of hammers.

metaed.com•78 days ago

My server blocks IPs geolocated to ten country codes that I don't care to serve and that are responsible for most of my noise. It detects and block any IP address that pen-tests. With these in place, it blocks 30 new IPs every day. I feel like I should be giving these IPs back to somebody.

adamaronoff.bsky.social•78 days ago

This. Any client without specific business outside the US gets basically all non-NA and EU traffic blocked. Just logs filled with kiddie script attacks from Russia, the Middle East, China, constantly, and it's simply not with the risk of a real 0-day being among them

technicaltitch.bsky.social•78 days ago

Not this. As someone who has lived in Africa, geo-blacklisting is almost racist, makes the internet a nightmare, and does nothing at all to protect you, except a false sense of security. Any remotely non-stupid attacks, nevermind 0-days, will not route through an obvious geofence.

rowancrowe.bsky.social•78 days ago

I have a /24 (256 IPs) routed here, and IPs not in use are 100% blocked, as well as most ports for IPs that are utilised. Currently seeing 30 blocked packets per second, or around 2.6 million blocked packets per day. That's 10k probes per IP per day

fq61.bsky.social•79 days ago

The first time I did what you just said years ago, I saw how many attempt for ssh into server, potential sql db, etc etc. I was shocked, I asked more experienced friend that I am looking at PAM logs, and it is like battlefield. I am told it is normal :))

heisenbrg505.bsky.social•78 days ago

So true. It takes only a few minutes to be discovered. If someone sets up a server and opens a firewall rule to allow any inbound traffic while they patch and update it I’m guessing it will be born compromised. 😵‍💫

buntii.bsky.social•79 days ago

So what do they want, say you let them in on a blank server, what happen then?

keilhubert.bsky.social•78 days ago

... while the original inhabitants of this land call it "maize."

zipman.it•78 days ago

One of the best feed for fail2ban... You just set the regex to match to wp-admin.php and in a couple of hour about 200 ips are blocked😁

chiweeniefella.bsky.social•79 days ago

You can give them enormous empty files, compressed, to overflow the space on their own servers if they autodecompress, too. These are called "destructive countermeasures'.

brianhill53703.bsky.social•79 days ago

Setting up tarpits like LaBrea also used to be a thing
https://labrea.sourceforge.io/Intro-History.html.

You set up a bot-friendly endpoint (wp-admin.php), then when something hits it, the response then tries to keep their connection 'on hold' as long as possible to waste their resources.

weedbay.net•79 days ago

Before you can ssh in there'll be several before you.

generalpatton22.bsky.social•79 days ago

Could the internet be converted to Blockchain to stop all this?

redhuitzli.bsky.social•79 days ago

plainoldchair.bsky.social•79 days ago

None of what you've just said makes any sense.

generalpatton22.bsky.social•79 days ago

What’d I say?

plainoldchair.bsky.social•79 days ago

You asked if "the Internet" could be "converted to blockchain". None of this makes sense or would have any impact whatsoever on what anyone is talking about. I'm honestly not even sure you know what you're saying.

nickel76.bsky.social•64 days ago

What if you convert it to a series of tubes?

fakekraid.bsky.social•64 days ago

Oh boy have I got wonderful news for you!

blahpers.bsky.social•64 days ago

This is what academics refer to as "not even wrong"

mikeschnier.bsky.social•79 days ago

All my apes gone?

xanderoconnor.bsky.social•64 days ago

did you at least keep the slurp juice?

ludwigv.bsky.social•79 days ago

What about 2 servers in different languages? I'm asking too many questions...

saucedup.bsky.social•79 days ago

grolaw-me.bsky.social•79 days ago

I was amazed by the volume of traffic. I put a new Synology NAS on the internet w/o any firewall and it logged thousands of attacks in the first few hours.

telecom-terrorist.com•79 days ago

Yep. The L7 firewall on my network spits out all kinds of shit. A lot of Russian source addresses....

justinalcon.bsky.social•78 days ago

🍯

netbear.bsky.social•79 days ago

Be sure to enable error logs on the web server so you can see all the exploit scripts flooding across. It’s a veritable history lesson of exploits. They usually start with the old cgi-bin vulnerabilities.

millechatsbleu.bsky.social•78 days ago

Cheap, simple alternative: Get on a cloud service, set up the cheapest server instance (some are free) & watch incoming traffic on port 80/8080 in real time. I did that once ~10 years ago when debugging a SOCKS proxy, immediately saw port scans & other nunya traffic

stvemillertime.bsky.social•79 days ago

How many trillion security signals per day? :D

rusty.zcx.cc•79 days ago

I used to keep a sniffer monitoring the traffic between my cable modem and firewall. The most 'annoying' traffic was the number of ARP requests for addresses not in my scope. The cable modem was trying to figure out how to hand off traffic, that shouldn't have been going to my firewall.

murrys.bsky.social•79 days ago

Snowflake called it a glitch.

solardavegreen.bsky.social•79 days ago

I first experienced this on my PPP line in 1994. It's never let up since.

cfrk.bsky.social•79 days ago

Yea. Just download peer block and see how often your own devices are constantly being probed.

gmckcypress.bsky.social•78 days ago

Turn off IPv4 and just use IPv6. Scanning 3.4*10^38 addresses takes a while longer — like to the end of the universe. Spidering the entire DNS namespace is a lot more complicated, and can be throttled by DNS providers.

jessssssse.bsky.social•79 days ago

Capitalism demands the worst of all human enterprise

happenstuff.com•79 days ago

Truth.
#made #hacky #folk

wolvenspectre.bsky.social•79 days ago

I like the term Steve Gibson gave it, "Internet Background Radiation". It is normal these days and inescapable. Its just like background radiation. It's there, its persistent, and you have to put up with it to be there.

I like to think it just makes it easier for those collecting malware info.

sockpuppetpundit.bsky.social•78 days ago

Used a security plug-in for Wordpress. Just tons of logs. Stopped a lot by blocking AWS.

quanshiyinpusa.bsky.social•78 days ago

Yep! We had a back door network connection to bring in data on a specific port and all others were blocked. I would sit there watching different IPs try to hit on ssh, then I’d block them, wait, and watch a new attempt from a new IP. Whackamole for Sys Admins 🤷‍♀️

ultraclart.bsky.social•78 days ago

Fail2ban does it for you, the. You can watch the fail2ban logs too

quanshiyinpusa.bsky.social•78 days ago

Yeah, this was like 15+ years ago, but I’m going to look at it, thanks! Is it open source?

ultraclart.bsky.social•78 days ago

Yeah open source. Monitors your logs and IP bans appropriately. You can set up a number of jails all with there own configs. It's great

ottosteinman.bsky.social•79 days ago

is this why you're allowed to make your own server to host your account?

I was wondering why it's the case with this social media site, that I can do that. Admittedly - I know nothing about he pros and cons of why, I just found it interesting and cool that I was able to.

paul8ff.bsky.social•78 days ago

Hello

honkinwaffles.com•79 days ago

Once a quarter the pm freaks out over some connection attempts on a public interface and we need to remind them about background noise.

gutsyliberal.com•79 days ago

It amazed me when I first set up my website. I had no idea.

And it isn't even just bots blasting stuff. On some days a big percentage of the traffic browsing my site seems to come from Russia. I have no idea why, but I don't think they're serious shoppers!

communizard.bsky.social•79 days ago

They're just Russian to your site to get those sweet deals!

gutsyliberal.com•79 days ago

😜 can't deny that!

https://loyaltshirt.myshopify.com/

communizard.bsky.social•79 days ago

Oh shit, my joke was based on objective truth? Damn

gutsyliberal.com•79 days ago

15% off with code Bluesky.

"Always be plugging," according to John Hodgeman. 😉

https://loyaltshirt.myshopify.com/

fourmoyle.bsky.social•78 days ago

📌

tyroball.bsky.social•78 days ago

Just like an immune system your IT health is tested everyday.

Btw, in Russia hacking isn't illegal if you only hack stuff in foreign countries.

wizard-schwartz.bsky.social•79 days ago

It is background noise. No executive worth their salt would actually qualify that as any sort of a cyber attack. It is constant, probing, looking for things that no corporation would ever install, or if they did, knowingly expose.

hfleming.bsky.social•78 days ago

Yeah, around 15 years ago I did that… was scary to look at the logs and decided never, ever go that route… let somebody else deal with that shit. Don’t know what it is like nowadays with script-kiddies harnessing the power of AI tools.

benevoluspf.bsky.social•79 days ago

Why can’t we just shut off traffic from certain countries?

oldmansparkplug.bsky.social•78 days ago

VPNs, relay attacks etc. Also there are still legitimate people in every country just trying to use the internet.

benevoluspf.bsky.social•78 days ago

So I guess we just have to live with it, then? Seems like a real problem with no solution.

simonemiglio.eu•79 days ago

📌

itsjohns.network•79 days ago

I've been meticulous about scrubbing "attack traffic" from all the built in reporting. My concern is that if management sees "attacks" in everything all the time they won't respond with appropriate urgency when we're getting hit at 120,000,000+ requests per minute and I say, "We're under attack."

acinixys.bsky.social•79 days ago

The boy who cried DDoS

itsjohns.network•79 days ago

I've also been very pedantic about DDoS. If we only blocked 50,000 or fewer IP addresses, I insist on only ranking it as a DoS attempt.

blindiephoenix.bsky.social•79 days ago

This is interesting. Spinning up a server now.

dcoventry.bsky.social•79 days ago

I run a number of VPS servers and each of them has hundreds of attempts to access it through brute strength password attacks every second.

Admittedly, that was before I installed fail2ban which limits the amount of consecutive login attempts.

mstefan.bsky.social•79 days ago

For extra fun, setup the "recidive" jail to ban repeat offenders.

mrcontrariwise.bsky.social•78 days ago

So this stat is from literally decades ago, but it was once measured that the mean time to compromise of an unpatched Internet connected system was like 5 minutes. I'm 100% sure that it's has dropped precipitously since then.

mrcontrariwise.bsky.social•78 days ago

Back then I had the youthful energy and enthusiasm for this kind of bullshit, I used to run an OpenBSD based firewall for my home network. The logs of denied connections were *amazing*... all day, every day, probing ports where known vulnerable services would have been running.

sirisema.bsky.social•78 days ago

i had a similar discussion with friend after fed site flashed her DOL-she said "I watched you delete all the jpgs; why did it flash?" Nothing truly gets deleted and now feds want everyone's data sent over web-so bothsides, good and bad, can capture data you assumed you deleted.

a11ychief.bsky.social•78 days ago

A lot of these requests seem to be to the public ip address. Should I put something on my load balancer to do something other than serve the site when the request host is just our IP?

murasorazone.bsky.social•78 days ago

I had an Apache webserver accidentally left running on a home computer with port-forward
In less than an hour there'd be at least 4 different user-agents looking for php files and configs
There was nothing except an empty page

zarar.bsky.social•78 days ago

It’s stuff like this that had me conclude a while back that it’s just not worth maintaining your own infrastructure. This stuff requires constant attention and if you’re an app developer or someone trying to build something, this just can’t be a first order concern.

murasorazone.bsky.social•78 days ago

same
The purpose of the webserver was to confirm that port-forward worked (had to host a server for a game)
If I were to host a website with a database and such, it'd require maintenance that I don't have the time for anymore, not to mention updates and things randomly breaking because of them

s-e-s-k-a.bsky.social•79 days ago

"Thus, threat hunting was borne..."

milkglider.bsky.social•79 days ago

Why don't they shut down those random systems blasting vulnerabilities? Are they stupid?

nite-owl.bsky.social•79 days ago

The one thing humans irrefutably excel at is creating… garbage.

malwaretech.com•79 days ago

For example, take the Mirai malware. It spreads by connecting to random IP addresses and trying to log in with default passwords. Upon success, it installs code to do the same to other devices. This technically results in an exponential increase in "cyber attacks", but is really just a single botnet

malwaretech.com•79 days ago

Another way to look at it: recently there was a bad vulnerability in the UNIX printing protocol. I wanted to get an idea of how many systems were affected, so I sent a test request to every IPv4 address (all 4 billion of them). That's 4 billion "cyber attacks" in the space of 30 mins from me alone.

codejanitor.dev•79 days ago

Do you ever hear anything from your ISP about these exploratory activities? I've thought about doing some scanning before, but I was worried my ISP would be a pain about it (my ISP is generally known to be a pain about... well anything they can).

culturallyunscripted.com•79 days ago

Consumer ISP, yes. Fetus me was building a search engine.

It's why things like shodan and censys exist.

joocifer.bsky.social•79 days ago

CUPS, UDP:631?

kfarris.bsky.social•78 days ago

This is pretty stunning to me. Man, the world is a crazy place… much more than apparent on the surface.

sdshantalat.bsky.social•79 days ago

can you quickly to to https://myip.com, & tell us what it says under "Your IP address is", so we can all ban your ass and your whole subnetwork and your whole country to go with it.

christophbee.bsky.social•79 days ago

It's so obvious, but I never had the thought in my mind that I have the capability to target every single machine in the world with a public IP address.

toothygrin1231.bsky.social•79 days ago

To be fair, you’re not. Most machines in the world are using NAT translated IPs. There are not enough IP addys in the world for every machine. You’d be hitting NAT servers a large percentage of the time.

christophbee.bsky.social•78 days ago

That's why I qualified machines "with a public IP address", it's still an immense reach

just-michelle.bsky.social•79 days ago

Wow. Also had no idea it’s this intense on the macro level. Maybe my theory of being safer because of my insignificant and relative poverty takes me out of the target group?

thebiologistisn.bsky.social•78 days ago

The attacks are almost entirely automated. If your devices are online, you're the target group.

just-michelle.bsky.social•77 days ago

Thanks.

retr0.id•79 days ago

cyber attacks georg was an outlier and should not have been counted

timjohns.com•79 days ago

Sort of the opposite, but flashback to the time I was developing an SNMP agent and while testing, sent an SNMP broadcast query with "public" community string. i discovered a LOT more devices than I was expecting.

itsjohns.network•79 days ago

But did you send to all 65,000 ports on all those IP addresses? What if they're forwarding that protocol on a non-standard port?

telecom-terrorist.com•79 days ago

That's security through obscurity and has been lauded for years. If that's true, then the targeted address is small potatoes in the grand scheme of black hat.

itsjohns.network•79 days ago

Has it been lauded? I feel like it's been decried for decades, but then quietly rewarded by management that just wants to get along to get along.

telecom-terrorist.com•79 days ago

🤦lol

I got my words mixed. Yes, decried is a much, much more useful statement.

bethcodes.bsky.social•79 days ago

Putting deodorant in a plexiglass box you need a worker to open reduces sales by 15-25%: https://www.axios.com/2024/08/11/retail-theft-cvs-walgreens-locked-cabinet

Even a small increase in annoyance can have a dramatic impact on incidence.

znerual.bsky.social•78 days ago

Don't you get blocked by your provider for doing so?

stringsound.bsky.social•79 days ago

ET INFO Observed UDP cups-browsed Add Printer Packet Inbound

WAS THIS YOU?!?!?

scalingdevtools.bsky.social•79 days ago

I think there's a movie about this

gremlin22.bsky.social•79 days ago

Did you also send to all IPv6?

mn0.us•79 days ago

Back in the day, I thought it would be funny to have sshd listen on port 23 (telnet).

During the peak of Mirai, they were scanning so aggressively OpenSSH would reach its unauth connection limit. 🤦

(OpenSSH has logic to reduce the DoS, and it's gotten more advanced since then.)

whdksu7.bsky.social•79 days ago

Been like that for decades now at least two decades. With email spam/malware/phishing the current is 3.4 billion email sent a day that are malicious. Security in layers helps. Educating users helps too. Then there are scam calls too. Looking for victims.

edwardt80.bsky.social•79 days ago

The walking dead zombie virus is what it sounds like

vessonsecurity.bsky.social•79 days ago

You don't even need to set up a website. Just open a TCP port - any TCP port - and start listening to it. You'll see attackers trying to access it as a web server (i.e., doing "GET / HTTP/1.1").

richard.pub•79 days ago

My homelab sees about 4000 “cyber attacks” a month. Its clearly a targeted nation state hacker group using sophisticated AI techniques 😂

Definitely not just automated scans looking for unpatched vulnerabilities.

queenkjuul.bsky.social•79 days ago

Like 99% of mine are trying to hit wordpress routes which I've never installed lol

I'm always still kinda nervous though. I'm not super versed in network security i just have openwrt firewall and anything with exposed ports runs in containers on updated Ubuntu and then i pray lol

richard.pub•79 days ago

Oh yeah, Wordpress and Laravel scans on the daily.

There is always some risk but that’s part of the fun with a lab. Playing, praying, and learning something along the way 😂

dioden.nu•79 days ago

I know that feeling. I hardly expose anything, always VPN in with Wireguard with the exception of Plex for my mom in another city.
A fun thing I saw once is someone set up wp-admin.php to redirect to a 1GB test file in Nginx to give the bots the finger.

queenkjuul.bsky.social•79 days ago

Oh I'm gonna do that now lol

max.someone.ky•79 days ago

thanks for the idea, i GOTTA try that now :p

nomadgirldad.bsky.social•78 days ago

Back in the mid 90s we took bets on how long it would take to get pinged if we put a server outside the firewall. I remember it took about 2 min. Not sure we'd get half a second today

hotelzululima.bsky.social•54 days ago

when @tjkessler.bsky.social setup https://playground.sun.com at SunSoft, by '94 when I arrived he was seeing a fairly steady stream of probes.. not attacks so much yet as the whole arena of network attacks against servers was kind of in its infancy.. nothing like you see today by putting openbsd on a VPS

tjkessler.bsky.social•54 days ago

Ah those were the days. I had my own email and webservers for years but shut them down due to it being to much of a pain to keep up with patches and security what not.

hotelzululima.bsky.social•54 days ago

I don't do email anymore for decades(too much fucking work)... but I still run very vanilla servers for web&vpn(s) for friends on openbsd...
I wrote scripts to produce & install new binaries on my firewall(s)as the snapshots at https://openbsd.org change but with a 73 hour lag..

psavage.net•79 days ago

Sounds like reading my WordFence logs.

mellotronworker.bsky.social•79 days ago

As part of an MSc project, I had to set up two brand new (virtual) XP systems and carry out a series of highly controlled experiments on them. The boxes were unprotected and connected to the Internet.

On average, they were under attack within 45 minutes. The record was ten, and this was in 2006.

houninym.bsky.social•79 days ago

I tried this as an experiment in the mid 1990s, a clean install of (I think) windows 95 hooked up to the internet would get infected with a virus in minutes.

mellotronworker.bsky.social•79 days ago

I likened it in my thesis footnote as 'smearing yourself with Pedigree Chum and walking into the dog pound...'

gahdelgaiu.bsky.social•79 days ago

i dont know how to write code but that got me to laugh out loud, good work. im sure your thesis was eloquent!!!

think.cz•79 days ago

I actually did that exact thing with a Mac mini server, constantly hit on. I set it up to test Facebook ad traffic, FB lies and says they send you more traffic than server analytics records.

melaniewildman.bsky.social•79 days ago

Facebook’s reporting is outright fraud.

think.cz•79 days ago

Totally. We ran the ad to a single html page advert for a new website, they charged us for 3000+ unique visitors, server analytics and 5 page analytics services including google showed 890 people visited via the link, and only 20 people clicked the link thru to the destination site.

think.cz•79 days ago

When confronted and escalated up to a supervisor, they told us basically that their ‘reporting software is proprietary and 100% accurate’ and that the issue was with our other trackers which are unable to record Facebook traffic. Never advertised with them again…

melaniewildman.bsky.social•79 days ago

I wish I was shocked… We used to get real traffic from our Facebook ads back in early 2010’s.

Facebook started pushing video ads back then and their analytics were showing massive conversions but our actual inquiry forms dropped off a cliff.

anne2897.sedici.me•78 days ago

📌

hotlineinput.bsky.social•79 days ago

This is why I really loved the analogy of the Blackwall and the "realm" of rogue AIs in Cyberpunk. Whenever you put your head out, you're swarmed immediately - just like on the real life internet.

olekspickle.itch.io•79 days ago

I found myself instantly comparing it with real internet as well👌

chinesegovtbot.bsky.social•78 days ago

Reminds me of when an instructor had gotten an ec2 instance for putting an application on the cloud, and it got hijacked by ransom ware before the class had started.

laniet.bsky.social•78 days ago

ignominy.bsky.social•78 days ago

We just call it "Fu**ING Russians again"

ayeronnie.bsky.social•79 days ago

I've had websites since 1998 and they have always been under attack. Every day. You don't even need a popular site, just a place for them to get in and usually set up phishing.

dtg.bsky.social•79 days ago

Check out https://viz.greynoise.io/query/last_seen:1d. Collecting, labeling, and decimating this data is literally our mission.

markmcan.bsky.social•78 days ago

Can we help?

mikeycaine.bsky.social•79 days ago

*disseminating

dtg.bsky.social•79 days ago

Doh! Need that edit button.Although we would like to decimate this traffic too! 😁

ahmedice.bsky.social•79 days ago

ohh. i setup a terraria server and just see constant stream of ip s trying to connect

docknmoof.bsky.social•78 days ago

https://www.projecthoneypot.org/about_us.php

jolenejoleneee1.bsky.social•79 days ago

#ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW #ForensicAuditNOW

nosbig.bsky.social•79 days ago

Yup. And on two different systems, leave SSH to allow passwords (set only very strong passwords here) on the first system. On the second, set it only to accept keys. Turn on Fail2Ban on both.

It is amazing what differences you see with the access attempts. It's like the second one doesn't exist.

rswestmore.land•78 days ago

jamesjansson.bsky.social•79 days ago

Sometimes I am tempted to make the route /.env return something.

kamalini.bsky.social•79 days ago

If you set up a WordPress site, you'll be bombarded by attempts to use the XML-RPC exploit.

ldroadie.bsky.social•79 days ago

Back in the early days of public internet, 2000 or so, we set up an unsecured server and watched how many hacks per week, monitoring all access behind the scenes.
Then, at the beginning of each new week we reloaded and began to watch again. Fun times!!!

sophie667.bsky.social•78 days ago

This experiment really exposes the reality of the internet—unknown entities probing and attacking every moment, it's far from safe

grublets.bsky.social•79 days ago

I call it “job security”.

rufflandings.bsky.social•79 days ago

And @greynoise.bsky.social calls it “the basis of a successful business model”

davevenable.com•79 days ago

in before "Cyber Pearl Harbor"

floydnine.bsky.social•79 days ago

I call it, "Thats why everything is so slow"

dst2point0.bsky.social•79 days ago

We called these unprotected setups, a ‘honey monkey’, and they usually have a fake honeypot package to steal.

Hackers use them too, in reverse.

zaksreaper.bsky.social•79 days ago

Soo if one were to develop a website, would you suggest cyber security be first on the list of things to implement?

dremenec.com•78 days ago

It depends. If it's a simple site (no login, no loading from a database, no user inputs) and you're using a webhost, there's not a lot to worry about.

Otherwise, yeah you need to be thinking about security

zaksreaper.bsky.social•78 days ago

I eventually plan to make a portfolio/hosting site for art piece and comics at some point. If I want to add something like a comment section or automated email then I’d likely need to worry about it

dremenec.com•78 days ago

Both portfolio and comic hosting you could build entirely as static sites without much vulnerability, if you wanted (mine are)

But yes, definitely security is crucial for a comment section, especially sanitising the inputs

complacencykillz.bsky.social•79 days ago

Security should part of the design principle. It's not "first" on the list, rather, "part of everything on the list."

zaksreaper.bsky.social•79 days ago

Fair point

keydet89.bsky.social•79 days ago

When I handled the "abuse@" emails for a major telecom, we had one guy who kept sending in "reports" for a single ICMP packet.

zerky.bsky.social•79 days ago

Maybe it was a very malicious ICMP packet

pmihc.bsky.social•79 days ago

Or a delicious ICMP packet

shatter.bsky.social•79 days ago

ICMP continental ballistic packet

pmihc.bsky.social•78 days ago

Sadly not very tasty, too salty

shatter.bsky.social•78 days ago

It where my mind has always gone growing up in the 80s and ICBMs were talked about daily.

kye.boats•79 days ago

probably had the evil bit set tbf

spooftrooper.bsky.social•79 days ago

That's amazing.

s-e-s-k-a.bsky.social•78 days ago

lol I feel like that is the cyber equivalent of “the sky is falling on my head!”

solarpunk-workshop.org•78 days ago

You can't ping me

oldwhiteguy64.bsky.social•79 days ago

It’s only going to get worse with AI.

flieris.bsky.social•79 days ago

Same happened to me sometime ago when I setup nginx without setting up proper firewalls. The access log was filled with those kind of events 😅

purpcheck.bsky.social•79 days ago

Oh hell yeah dude didn't know you were here!

cat-on-a-leash.bsky.social•78 days ago

😱

cabbageridge.bsky.social•79 days ago

I have one I Bo longer use. It was responsible for a ton of nasty emails that threatened to expose what I was doing in my office. I finally shut it down

texasdfwcowboy.bsky.social•79 days ago

A major financial services company I worked at received on average 2,500,000,000 attempts per 24 hour period to find and exploit vulnerabilities. And it's why the only companies serious about security are banks.

commiegir.bsky.social•78 days ago

jasonbu.online•79 days ago

It’s incredible. We fend of thousands of probes and attempted vulnerabilities attacks each day. Mind boggling.

quup.bsky.social•79 days ago

You can use something like fail2ban to get rid of this noise
https://github.com/fail2ban/fail2ban
Or a commercial solution with lots of those IPs in the blacklist.
And I like the idea of redirecting them to a big file download or something.👍

mythik.co.uk•79 days ago

The one that impresses me is the number of search engine bots that are really interested in indexing my OAuth2 token endpoints.

rustyaway.bsky.social•79 days ago

You think web servers are bad? Try hosting your own email server and look at the logs. It makes your eyes water...

shatter.bsky.social•79 days ago

What's the spam to mail rate these days?

seismoallegra.bsky.social•78 days ago

I use https://duocircle.com for first filter on my 30+ year domain name and email address. Say 40 legit email and 250 spam per day.

shatter.bsky.social•78 days ago

That's pretty close to the 15/85 ratio then.

its-its.bsky.social•78 days ago

yikes!

rustyaway.bsky.social•78 days ago

Unless you lock your server down as tight as a drum, spam mail would exceed genuine mail many-fold. I'm only guessing, but I would think that most email traffic on the Interwebs these days is spam. Employing multiple counter-measures and educating mailbox users is paramount.

shatter.bsky.social•78 days ago

At an old job we had an exchange running with hardware spam appliance as well as software on the server. We did a lot of legitimate mail back and forth (promotions and such to customers) and back then it was about 85/15 spam to legit.

I can't imagine it's gotten better.

shatter.bsky.social•78 days ago

last job we ran thing via gsuite which does most of that for you, but also incorporated Cloudflare's area 1 (rename to email security I think) and it did a really nice job on anthing that slipped through.

Caught some well written nasty things.

hostbox.me•72 days ago

Do not host your own emails, I repeat do not host your own emails. Thank me later.

rustyaway.bsky.social•65 days ago

Why?

handle.invalid•79 days ago

During my master degree, i had machines with a public IP addresses, and was running pcaps on port 80 and 21 …

The background was noisy indeed

robertparkernc.bsky.social•79 days ago

Put an unsecured computer on the internet. Within a few hours it's unusable and may well be unrepairable, shy of replacing the drive. And you would need to shred that drive. Even then the bios may be corrupted, and you may need to toss the whole thing. Noise my ass.

pannekook.bsky.social•79 days ago

put some raw meat on a warm counter. within a few hours it’s inedible, and you may need to toss the whole thing

nickoftime5546.bsky.social•79 days ago

I think he means this is not some bad actor actively targeting you, but ongoing scanning for vulnerable systems to co-opt.

mihails-guide.neocities.org•79 days ago

Well, that background noise is from both kinds of malware: ones that only build a bot-net & ones that try and brick your system. There was an experiment invoking connectiong a Windows XP installation to the Internet without any filters. It was rendered unusable in short notice.

nickoftime5546.bsky.social•79 days ago

Yep.
Many of these exploits intent to hack into the target and stay undetectable.

sunshade.blue•78 days ago

I once left a database with default configs up while fussing around with some project. It was somebody else's server in about 8 minutes, and they left a nice ransom note. I feel lucky that i got the softest version of that lesson.

digdilem.bsky.social•78 days ago

I self host, but more and more I'm converting stuff to static sites and hosting it on cloudflare pages. Its not just the security, it's the endless bandwidth from malware and
badly behaved web crawlers. Get a couple of them scraping some image heavy sites and I'm DOSed off my own link

thetonichilds.bsky.social•78 days ago

I’m going to do this… thx. It has been a year of dealing with hacking!! Man o man

riskymanag3ment.bsky.social•79 days ago

I did this with SSH and tracked the login attempts with a daily csv. The lowest day was ~200 brute force attempts. The highest day was >16k attempts.

whitehtj.bsky.social•78 days ago

It never stops even on a internet facing server in the house ... in just a few hours. Sometimes they get a visit.

chucke.com•79 days ago

The web marketing manager calls it a miracle of modern marketing, and then asks for a raise. 😉

truth-n-science.bsky.social•78 days ago

ah, that's like bullet holes in signs from hillbillies with guns in the country.

markr51.bsky.social•79 days ago

I did this experiment about 20 years ago, and shut it down as soon as I looked at the logs.

pointlessmcflurry.bsky.social•78 days ago

📌

dvdschneider.com•79 days ago

My firewall blocked trillions of cyber attacks last year using only NAT.

telecom-terrorist.com•79 days ago

NAT is not a security feature but technically this could be true.

kord.frontlinepoets.com•79 days ago

I had a chat with an admin many moons ago that said you don't need passwords on local machines because they're inaccessible via NAT. anyways, when they paid some ransomware sum they claimed to their insurance it was unavoidable.

telecom-terrorist.com•79 days ago

lol, yep. That's the outcome I would expect in that situation.

dvdschneider.com•79 days ago

I've worked with lazy admins that would go out of their way to remove passwords, since User SMB Sharing and RDP would be disabled on Windows if there was no password.

Somehow they didn't realize that disabling those services would have been more effective (or restricting them with the firewall)

kord.frontlinepoets.com•78 days ago

It's also wild that a lot of vendor software has you doing things like disabling SELinux, disabling the firewall, or creating users with no password just to get their stuff to work. I know some admins that do all of that as part of their basic setup process because that's just what they're used to.

wisteela.bsky.social•79 days ago

I had a load of ssh attempts on a Raspberry Pi until I changed the port on the port forwarding of my router.

richardhnguyen.bsky.social•79 days ago

This is surprisingly true in my case. I bought a VPS and a domain to set up my hobby project. They didn't have any meaningful features but the server was up and running. I checked the log and there was a huge amount of visitors from the same area visiting it.

pankoqueen.bsky.social•79 days ago

If I only knew what you were talking about with your sincere effort to educate me
😳😳😳. Can I just say I appreciate all of you who have a clue and I mean that sincerely.

garygocek.bsky.social•79 days ago

I figure it's better than a 50% chance that Pankoqueen's reply was generated by an AI bot, and I mean that sincerely.

pankoqueen.bsky.social•78 days ago

You would be wrong.

drcyanide3d.bsky.social•79 days ago

He's saying every server (even ones without a URL or web page) gets random people trying to see if they can connect to it. IT knows that's normal, but management sometimes makes it seem like it's a targeted attack on their company in particular.

pankoqueen.bsky.social•78 days ago

Thank you for explaining.

matei.busui.ro•78 days ago

This is ssh dictionary attacks on 5 servers. What matters is it's 5 public IPs.
I like the background noise idea, it's exactly how it feels.

heradescends.bsky.social•78 days ago

I’m 3/4 Luddite, this will fester…

dennis-moore.bsky.social•78 days ago

Some of it is search engines.

asharwood.bsky.social•79 days ago

It’s likely just google or some other search engine blanket pulling data to source their search results.

kord.frontlinepoets.com•79 days ago

I have customers that request public nets and then send me T1 support escalations because they're experiencing "a high volume of sustained attacks" and yes ... you will see a flood of ARP "who-has" requests from the ping scans alone.

ntnlabs.bsky.social•79 days ago

Good sysop knows how to do automated system that will block 99% of them automatically and just seconds after they start.

monsterislandnyc.bsky.social•79 days ago

Yep

boxofshards.bsky.social•79 days ago

That sounds like the cosmic microwave background energy of the internet. Neat.

Comments

Posting Rules

Reply