SSH brute-force telemetry

Spin up a fresh server, open port 22 to the internet, and within minutes a stranger is trying to log in as root. Not because anyone has heard of you — they haven’t. There are simply thousands of bots cycling through public IPv4 around the clock, hammering common credentials at every port 22 that responds. SSH was released in 1995. It has been like this approximately the whole time.

What you see below is the view from my honeypot — a sandboxed container listening on port 22, well isolated from anything I actually care about. It pretends to be sshd just convincingly enough to log every connection attempt with its source IP, the credentials offered, and a timestamp. Nobody is logging in; nobody is getting anywhere if they think they did. The map plots the last 1000 intruders geolocated to the city they route from (otherwise it would render as a single navy planet). Larger dots had the patience to try more passwords than smaller ones — the red ones tried quite a lot more.

On a typical day the honeypot logs tens of thousands of login attempts — roughly one every couple of seconds while the bots are awake, which is to say always. The bulk of that volume comes from a small number of patient sources cycling through their wordlists: a fresh IP usually shows up, tries some hundreds of passwords over a few hours, gives up when nothing works, and quietly hands off to the next compromised host on the rota.

unique sources
total attempts
countries represented
most recent attempt
data refreshes at most once every 3 minutes

How they find new hosts

“Scanning the entire IPv4 internet” sounds dramatic and gets the press, but it is rarely the primary signal. There are cheaper and fresher hostlists already lying around for anyone who knows where to look:

  • Certificate Transparency logs. Every publicly trusted TLS certificate is published. The moment you ask Let’s Encrypt for something.yourdomain.com, that hostname shows up in crt.sh within seconds and the rest of the firehose subscribers know you exist. If a brand-new subdomain starts getting probed before you have even finished setting it up — this is why. Getting an SSL certificate is roughly the modern equivalent of putting up a neon sign.
  • BGP route collectors. RIPE RIS, RouteViews, and friends record everyone’s routing announcements. Light up a new prefix and the rest of the planet learns about it within seconds.
  • Domain registrations. Newly-registered names get pulled out of zone files and probed within hours. It is reliably faster than DNS propagation in some places.

Compared to that, scanning the whole internet is overkill. The hostlists are already published — the bots are just reading them.

About the geolocation

Every dot on the map is one source IP placed at the city its IP database thinks it lives in. Geolocation, for all the confident maps it lets you draw, is best-effort by nature — it is stitched together from public registry assignments, BGP announcements, ASN ownership, and a fair amount of educated guessing. The geo data on this page comes from ipinfo.io, which I have found to be the least-wrong aggregator of those signals among the ones I have tried.

Things ipinfo.io cannot reliably tell anyone (and neither can anyone else):

  • whether a human running the attack is anywhere near where the packets come from — usually they are not;
  • whether the IP belongs to a person, a botnet-recruited home router, a hosted cloud instance, or a VPN exit — on the map they all look the same;
  • whether the resolution is correct down to the city — many IPs fall back to a country centroid, which is why some maps show a suspicious pile of activity in the geographic middle of Russia or the United States.

What the data can usually nail down is the ASN, the country, and a rough region. That is enough for a map that is broadly true and a healthy amount of skepticism for everything more specific. A meaningful share of these IPs are themselves compromised — home routers, cheap IoT cameras, abandoned cloud instances — rented out to whoever is running the actual cycling, so each dot tends to identify a victim with an open door more than it identifies a culprit.

Reported upstream

Every source IP that hits the honeypot is reported to AbuseIPDB — the public blacklist that hosters, mail servers, and bored sysadmins consult before deciding whether an incoming connection is worth answering. The more independent contributors flag the same IP, the faster a newly compromised box gets noticed and quietly de-routed from polite networks. If you run a server and have logs full of similar noise, it is worth contributing too — the feed is only as fresh as the people feeding it.

AbuseIPDB Contributor Badge

About the lively version

This used to be its own little website with an actual domain — animated dots arriving in real time, a lava-lamp aesthetic, a satisfying way to leave a tab open during boring meetings. I eventually decided it did not quite earn a dedicated site of its own, so now it is this one static map and a few paragraphs that get the same point across.