93

I've set up a site on Digital Ocean without a domain yet, so there is only the IP. Despite telling no-one of its existence or advertising it, I get hundreds of notices from fail2ban that various IP's are trying to hack my SSL port or are looking for PHP files.

But how do they know that I do exist? Where do they get the IP from?

Tomáš Zato
  • 1,236
  • 3
  • 11
  • 16
microwth
  • 2,141
  • 2
  • 15
  • 20
  • 153
    Welcome to the Internet! They do round the clock scans of the whole public IPv4 address space. Wouldn't call 'em kiddies though. – Deer Hunter Feb 12 '16 at 12:57
  • 8
    You'll notice this happen very fast, basically within minutes of going online. It only gets worse, especially if you're hosting a high value target. You can alleviate this to a degree by installing xtables geoip addons and using a negation match, allowing only specific countries (highest traffic comes from China, Brazil, Russia etc). Note that all this does though is cut down the bot traffic and cut down the work your CPU has to do banning these scans/automated attacks. This alone doesn't secure you at all. –  Feb 12 '16 at 13:50
  • 1
    @TechnikEmpire And not to mention those attackers can use a VPN that makes them appear to be coming from your host country. Doesn't stop VPNs. – Mark Buffalo Feb 12 '16 at 14:07
  • 1
    @MarkBuffalo indeed, it's just a way to save yourself some CPU time, nothing more. –  Feb 12 '16 at 15:44
  • 1
    Odd. I've had my locally hosted website online for around a month now (not constantly though, only while developing), and I have yet to have a single visitor. – Carcigenicate Feb 12 '16 at 16:54
  • 2
    @Carcigenicate Are you even reachable? That is, public ip, port forwarding etc.? – deviantfan Feb 12 '16 at 17:00
  • @deviantfan Yes. I can reach the site via computers external to my local network using our public IP. – Carcigenicate Feb 12 '16 at 17:02
  • 1
    @deviantfan Actually, I'm using a non-standard port, so that's probably why. – Carcigenicate Feb 12 '16 at 17:05
  • 9
    randint(1,255):randint(1:255):randint(1:255):randint(1:255) will hit you, eventually. – Davidmh Feb 13 '16 at 16:39
  • 2
    It is like asking, how did the postman find your house so he was able to throw the flyer in your mail box which he throw in every mailbox in your neighborhood. – Zaibis Feb 15 '16 at 15:40
  • 1
    I wouldn't be calling other people script kiddies without realising your IP address is public. FWIW I also got bit by this on DO. Disable password authentication via SSH and you'll be pretty much fine. – Dan Feb 16 '16 at 11:02
  • Your IP belonged probably to previously known website, so it is only new to your settings. – elsadek Jan 19 '19 at 08:44

6 Answers6

136

You can't hide your IP address on the internet. They aren't secret.

Pretty much what @DeerHunter said. It's trivial to scan the entire internet. If they want, they can target all-known digital ocean droplets that are online.

They can do this on a timer so that when you go offline, or online, it will just keep trying as those may be high-value targets that could become vulnerable at a moment's notice.

Let me give you a very rough coding example. Let's pretend your IP address is 104.16.25.255. Let's get the IP address of www.digitalocean.com so we can easily check for associated IP addresses. www.digitalocean.com returns 104.16.25.4. Let's scan everything: 104.16.25.*


Scanning is incredibly easy from a programming standpoint

Let's assume we want to try and find all nearby associated IP addreses. Assume programs can handle numbers and patterns very well. Here's an example of an integer being incremented:

i++;

This increments the current value of i by 1. Let's assume i starts off as 1. After i++, you'll get 2. Check out this painfully simple loop:

for (int i = 1; i < 256; i++)
{
    scanIpAddress("104.16.25." + i);
}

An alternative one-line bash variant would be as follows:

for ip in `seq 1 255`; do scan_thingy_command 192.168.0.$ip --options -oG lol.txt; done

You just scanned 104.16.25.1, and changed i from 0 to 1. As the whole loop continues, it will go from 104.16.25.0 to 104.16.25.255. I don't have time to scan and look right now, however, it's possible that this tiny block doesn't just belong to digitalocean.

To find more targets on DigitalOcean, a programmer may change the numbers even more. For example, introduce another loop that nests the aforementioned loop on the inside, and add j: scanIpAddress("104.16." + j + "." + i);. This will allow them to scan 104.16.1-255.1-255.

From there, they can keep going backwards and nesting for loops until they get the entire internet. There are other, more efficient ways to do this, such as masscan, but this is the most basic way.

Again, this could also be done on the command line with one line:

for oct1 in `seq 1 255`; do for oct2 in `seq 1 255`; do for oct3 in `seq 1 255`; do for oct4 in `seq 1 255`; do scan $oct1.$oct2.$oct3.$oct4 --stuff; done; done; done; done 

Other methods

The above example was a really rough example. They may be doing more, their code might be different, and they may be using entirely different methods and/or programs. However, the concept is pretty much the same.

It's also possible that the programs in question are just targeting everyone en masse.


So how can I hide my stuff online?

If it's online, whatever you are hiding, they will find it... or try to find it.

However, depending on your web server, you can try http access controls such as .htaccess. If you're using access controls - again, this depends on your web server - then it's likely that you'll be able to prevent others from viewing/accessing pages.

That won't protect you against non-website login attempts, though. And if you're denying them access to non-existent webpages, they now know you're really online, and can focus their attacks more easily! However, it's still good practice.

Here's an example .htaccess deny for Apache (2.4 and later):

Require ip 192.168.1.100

In the above example, you're denying everyone access to that folder, except your IP address. Keep in mind, 192.168.1.100 is a local IP address. You'll have to replace that with your public IP address.

Also, keep in mind that if your attacker is running a proxy/VPN on your machine, they can still access those pages. If your attacker already has access to the website, they can either edit the .htaccess or remove it. Nothing's 100%.

Just don't put anything online if you aren't ready to be scanned. Everyone has a plan until they get port-scanned in the mouth.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • 37
    @TechnikEmpire Buffalo overflow attack. – Mark Buffalo Feb 12 '16 at 14:01
  • 38
    @MarkBuffalo I thought the Buffalo Overflow Attack is "Buffalo buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo buffalo buffalo Buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo buffalo buffalo Buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo buffalo buffalo Buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo Buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo Buffalo buffalo buffalo buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo." – corsiKa Feb 12 '16 at 17:13
  • 44
    @corsiKa Please take this off-topic discussion to BuffaloOverflow.stackexchange.com. – David Richerby Feb 12 '16 at 18:30
  • "how can I hide my stuff online?" I would add change default ports... "script kiddies" are looking for easy targets... 80/443/22/etc... if you aren't online yet, change it to 81/444/23/etc... or 55080/55443/55022/etc... or whatever... Don't rely on this to protect you, but it will mitigate a LARGE portion of the automated attacks - especially if you aren't online. Switch back when you are ready. – WernerCD Feb 12 '16 at 18:48
  • 7
    noone thought of 'Buffaloverflow'? edit: I have now secured trademark rights on that name. Pay up! – DrewJordan Feb 12 '16 at 19:54
  • 6
    To find all Digital Ocean IPs, you just need to check the AS number listings. You want to look at `AS14061 Digital Ocean, Inc.`. – Riking Feb 12 '16 at 22:58
  • 1
    Should you use: Require ip 192.168.1.100 In order to be compatible with Apache 2.4+ - so many times I've had to change those old clauses, my eyes are bleeding now! – karora Feb 13 '16 at 00:22
  • @karora Yeah, for apache 2.4 it's different. I was going to update it earlier, but didn't have time. Feel free to edit my post. – Mark Buffalo Feb 13 '16 at 00:35
  • @WernerCD Or even simpler. Don't send files to every computer that requests them. – PyRulez Feb 13 '16 at 00:55
  • 1
    fail2ban + suricata in IPS mode using iptables nfqueue + modsecurity2 + key based ssh with challenge + vsftpd w/ftps + maldet + webserver has read only permissions will get you started. –  Feb 13 '16 at 06:07
  • @DrewJordan Copy = Right :P – Alexey Vesnin Feb 14 '16 at 02:26
  • You can hide your stuff online by using only a static IPv6 address that is not attached to a public DNS record. – Alexander Feb 14 '16 at 19:09
  • I do quite well in practice protecting my admin area with `Allow from 20.16 # my workplace range Allow from 160.88 # my home range`. Even if you add 3rd and 4th for your mobile and your favorite coffee place, you still lock out 99% of IPs... (of course, if you are an avid traveller, chances are, you hinder yourself... and of course, no substitute for additional measures.) –  Feb 15 '16 at 08:59
  • Listenin' to the Beatles be like: "Hey, Buffalo Bill. What did you kill? Buffalo Bill." – Mateen Ulhaq Feb 15 '16 at 20:27
58

The IPv4 address space is limited to only 4,294,967,296 addresses.[note 1] Given enough bandwidth, it becomes trivial to scan every single IP address out there, especially if you're the owner of a botnet consisting of thousands of hacked devices.

With IPv6[note 2], things are a bit more tricky: with over 300,000,000,000,000,000,000,000,000,000,000,000,000 addresses, it becomes impractical to enumerate them all. However, there are still various means by which the addresses can be discovered; for example, in a recent case Internet-of-Things search engine Shodan was caught using NTP servers to discover new IPv6 hosts when they synchronized their clocks.

The gist of this: if you're not ready to be probed, you shouldn't be on the internet. Scanning the entire IPv4 internet can be done in a matter of days, and your IPv6 address will get discovered as well – unless you are not using it at all.

Note 1: Some of these are not available because they have been reserved for special purposes.
Note 2: IPv6 is only available for Digital Ocean users when they have enabled it.

user2428118
  • 2,788
  • 16
  • 23
  • 38
    +1 for "*if you're not ready to be probed, you shouldn't be on the internet*' – Lilienthal Feb 12 '16 at 17:17
  • "Scanning the entire IPv4 internet can be done in a matter of minutes"? How? With an address space of 4 billion, (and yes, some of that range is reserved for private network use, but most of it isn't,) and even the best network requests taking around 5 milliseconds to complete, some back-of-the-napkin math indicates that scanning the entire IP range would take a single computer, doing one request at a time, well over 200 days. You would need a *massive* server farm, well beyond the resources of your typical script kiddie, to parallelize that enough to get it down to "a few minutes". – Mason Wheeler Feb 12 '16 at 21:34
  • 1
    @Mason Yes, I should probably clarify that you'll need a lot of bandwidth for your servers (or a [really big botnet](https://www.abuse.ch/?p=3294)) for that. **Edit:** changed it to "days" and added a link to an example to the post. – user2428118 Feb 12 '16 at 22:00
  • 1
    technically you could just rent a huge rig for scanning for the day. – Oscalation Feb 13 '16 at 03:52
  • 6
    @MasonWheeler waitaminute, that 200 days is if you did each request in serial, which is kinda nuts. Simply using background processes or something, I'd think you can do at least 200 requests simultaneously without much degradation in latency, so a complete ipv4 scan would take 1 computer 1 day, not 200 days. And maybe a lot better than that even, not sure about exact numbers at the moment. – Don Hatch Feb 13 '16 at 04:53
  • 2
    @MasonWheeler It is not hard to get yourself a server with 1Gbit/s of connectivity. Most network paths have a PMTU of 1500 bytes or a little less than that. In order to be able to use the bandwidth it means the equipment must be able to handle at least 83333 packets per second. There are about 3700 million global unicast addresses in IPv4. Sending one packet to each of them at that speed takes 12 hours and 20 minutes. – kasperd Feb 13 '16 at 11:21
  • @MasonWheeler Have you not heard of masscan? https://github.com/robertdavidgraham/masscan –  Feb 15 '16 at 01:25
  • @TerryChia Admittedly no, I haven't. Just looked at it, though, and it says that to get the ultra-fast scanning you need 10 Gbps of bandwidth, which nobody actually has. That's 10x faster than even Google Fiber! – Mason Wheeler Feb 15 '16 at 08:47
  • @MasonWheeler Again, no. The docs say you need 10Gbps to get beyond 2mil packets/sec. You requires way less than that to scan the entire IPv4 address space in less than 200 days. –  Feb 15 '16 at 08:50
  • @MasonWheeler "You would need a massive server farm, well beyond the resources of your typical script kiddie" - that's what the cloud is for: you can rent 4000 servers for an hour for less than $30 on DigitalOcean. – André Paramés Feb 16 '16 at 10:46
  • 1
    It takes 45 minutes to scan the internet on a gigapit port with masscan and the dna drivers. This is trivial. – dreadiscool Feb 17 '16 at 03:24
26

But how do they know that I do exist?

They don't know that you exist. They don't know they're talking to you: they just know they're talking to a computer with a particular IP address. IP addresses are a lot like phone numbers. If you dial a legitimate area code followed by a random number with the right number of digits, there's a decent chance you'll get to speak to somebody, especially if the area code has many subscribers. That doesn't mean you "knew that person exists": it just means that you found out that their phone number is connected.

Where do they get the IP from?

They don't get it from anywhere. It's just a 32-bit number and there aren't really so many of those. 134.183.96.2 there, that's an IP address. I got it by mashing my keyboard (and deleting invalid digits). It probably belongs to somebody because almost all IP addresses do. The bad guys just systematically scan the address space; they'll find any IP address because "finding" just means "generating enough valid numbers".

David Richerby
  • 1,636
  • 12
  • 13
2

But how do they know that I do exist?

They know that something exists on that IP address because their scanner is telling them so. Most likely they didn't come looking for you, they just stumbled across that IP address by scanning large chunks, or the entire internet.

http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html

grg
  • 155
  • 1
  • 1
  • 8
Oscalation
  • 322
  • 2
  • 10
2
  1. IP addresses are finite.
  2. IP addresses are assigned in blocks.

So you can scan all IPs from your home PC in about a year, although your ISP might notice and ask you what you're trying to pull. Some blocks are more likely to contain poorly protected servers, specifically the blocks assigned to hosting providers. Scanning only these blocks is very cheap, fast, and easy, and the likelihood of success is comparatively high.

Scanning from a single IP is problematic, because your IP will get blocked soon, so these people use botnets, or the commercial equivalent: cloud services. You don't need to build your own botnet. Instead you can rent a botnet.

Peter
  • 3,620
  • 3
  • 14
  • 24
  • 1
    Many security experts simply ignore all the scans as " background noise," so it won't necessarily get them blocked. – Mark Buffalo Feb 14 '16 at 14:14
1

Most likely they don't know that the given IP belongs to you in particular. But they do know the IP pool which belongs to your hosting company and they use that information to scan for active hosts. You can use iptables to improve the security of your box, or to limit the number of connection and connections types but other than that there is nothing else you can do. The internet was meant to be used to share information. If you don't want to share just disconnect the box (development box). If it is a development box it would be a good idea to move it locally and provide no access to it outside of your LAN.

  • They almost certainly _don't_ know that the block of addresses belongs to anyone in particular, because that information is almost certainly of no use to them. It's most likely not a targeted attack. – David Richerby Nov 20 '16 at 11:13
  • An attack is always targeted. The only question is towards who or what. –  Nov 21 '16 at 11:34