SSH brute-force telemetry
Spin up a fresh server, open port 22 to the internet, and within minutes a stranger is trying to log in as root. Not because anyone has heard of you — they haven’t. There are simply thousands of bots cycling through public IPv4 around the clock, hammering common credentials at every port 22 that responds. SSH was released in 1995. It's been like this from roughly the start.
What you see below is the view from one IPv4 address out of four billion. Nothing about it is special — never advertised, never linked from this site, never given a hostname worth typing. The bots found it anyway. That's the job. Behind the port is a sandboxed container pretending to be sshd long enough to log every attempt — source IP, credentials, timestamp. Nobody's logging in. The map plots the last 1000 intruders hammering on that single address, geolocated to the city they route from (otherwise it would render as a single navy planet). Bigger dots tried more passwords. Red ones tried a lot more.
On a typical day the honeypot logs tens of thousands of attempts — about one every couple of seconds. The bots don't sleep. Most of the volume comes from a small number of patient sources cycling through their wordlists. A fresh IP shows up, tries a few hundred passwords over a few hours, gives up. The next compromised host takes over.
How they find new hosts
“Scanning the entire IPv4 internet” sounds dramatic and gets the press, but it's rarely the primary signal. Cheaper, fresher hostlists are already public:
- Certificate Transparency logs. Every publicly trusted TLS certificate is published. The moment you ask Let’s Encrypt for
something.yourdomain.com, that hostname shows up in crt.sh within seconds and the rest of the firehose subscribers know you exist. If a brand-new subdomain starts getting probed before you've even finished setting it up, this is why. - BGP route collectors. RIPE RIS, RouteViews, and friends record everyone’s routing announcements. Announce a new prefix and everyone knows within seconds.
- Domain registrations. Newly-registered names get pulled out of zone files and probed within hours. Reliably faster than DNS propagation in some places.
Compared to that, scanning the whole internet is overkill. The hostlists are already published — the bots are just reading them.
About the geolocation
Every dot is one source IP, placed at the city its IP database thinks it lives in. Geolocation is best-effort. It's stitched from registry data, BGP announcements, ASN ownership, and educated guessing. The data here comes from ipinfo.io — the least wrong of the aggregators I've tried.
What ipinfo.io can't tell you (and neither can anyone else):
- whether the human running the attack is anywhere near where the packets come from. Usually not.
- whether the IP is a person, a compromised home router, a cloud instance, or a VPN exit — on the map they all look the same.
- whether the city pin is correct. A lot of IPs fall back to a country centroid — that's why so many maps pile activity dead-center in Russia or the US.
What it does nail down: ASN, country, rough region. Enough to draw a broadly-true map, not enough to trust the city pin. A lot of these IPs are themselves compromised — home routers, cheap IoT cameras, abandoned cloud instances — rented out by whoever's running the actual cycling. Each dot is usually a victim with an open door, not the person at the keyboard.
Reported upstream
Every source IP gets reported to AbuseIPDB — the public blacklist hosters and sysadmins check before deciding whether a connection is worth answering. The more independent contributors flag the same IP, the faster a compromised box gets de-routed from polite networks. If you run a server with logs full of similar noise, contribute. The feed is only as good as the people feeding it.
About the lively version
This used to be its own website with a real domain — animated dots in real time, lava-lamp vibes, a good tab to leave open during boring meetings. It didn't quite earn the domain. So it's this static map now.