How did the brute-forcers get my IP address so quickly?
The IPv4 address range isn't that big.
A class A network (/8
) has about 16 million hosts, and in theory there is 256 of them. As a result, the internet has about 4,294,966,784 hosts. Of course, this is an approximation.
Many address ranges are actually reserved (e.g. 127.0.0.0/8
, 10.0.0.0/8
), and others are actually one address that represent a NAT-ed internal network. But just judging from a naive back-of-the-envelope calculation, we can say it's somewhere in that ballpark.
What an attacker can do now is mass-scan one subnet for a particular service, such as SSH. Simply get a number of hosts (e.g. 32 hosts) and divide the target subnet evenly. Scan only for SSH hosts on port 22, and check which hosts reply.
An attacker can then either try to launch a brute force attack themselves, or they can sell that list of active hosts to someone else, who then attempts to attack you.
How long would it take to make such a list? Assuming that the attacker wants to scan a whole class A network (16 million hosts), with 32 hosts to scan, at roughly 100 hosts per second, we get a rough estimate of 90 minutes. Of course, time will vary, depending on the speed or the number of hosts, but it should be in that ballpark.
An IP address is nothing private. Nowadays it's possible to scan the entire IPv4 Internet within minutes. ZMAP, for example, is a tool that can be used for such scans. NMAP can be used on IP addresses to scan for open ports or services, like SSH.
There are also Online Databases like Shodan with huge lists of devices and services on the internet.
I worked on an app that scanned a private network to create an inventory of devices. They wanted it expanded to scan an entire class B network at once. I was able to write a function to do it in a few minutes (5 if I recall correctly) by sending 10,000 "ping" packets at once and waiting for all the answers in parallel
This involved a tuning factor because they were all on the same network and anything faster hit too many errors, also it was before NIO and java had to sit on a thread for each outstanding packet--today on the internet you could probably do it much faster.
So 5 minutes * 255 (about a day) would be the time to it took ME to scan a class a--So you could scan the entire internet every day with a tiny botnet of 255 computers using my 20 year old code (Each bot scanning a class A every day). Realistically, you could probably scan the entire ipv4 space from one computer in a day including multiple retries on misses with that same code.
However, scanning all 65k ports of every device would take ~65,535 times longer.
This happened to me 20 years ago--but I figured out that they were only scanning for an open SSH port (Maybe telnet/ftp too, but even then I knew not to put THOSE on the internet!). I moved the SSH port to a 5-digit port number and was never bothered again.
Also, disable your SSH password and always use your public/private key, it's easier for you to use and much harder for others to hack.