Hacker News new | past | comments | ask | show | jobs | submit login

I don't really understand this metric at all. I've heard it colloquially, but I highly doubt anyone was scanning IP address ranges so often that you could be passively attacked on the internet without any interaction by two minutes in. Even more so, people are often behind NAT, which acts as a good firewall on its own.

Maybe it's related to browsing habits? IE? I mean, you aren't going to get hit by a drive-by attack on any major websites -- even in the heyday of malicious advertisements.

So, what I'm really asking is: where did this metric come from, and why does it get spread so often?




> I've heard it colloquially, but I highly doubt anyone was scanning IP address ranges so often that you could be passively attacked on the internet without any interaction by two minutes in.

I witnessed this myself back in the day. I was probably about 14 at the time, had just freshly reinstalled a machine, installed AV (from a CD, hah.) and connected it to the internet for the first time via PPPoE DSL. Within minutes I had AV popups from having been hit by Blaster before I could even update Windows. In that day, few people had routers or WiFi, many, my family included just had a single machine connected to a modem directly and so had no NAT.

It was never individual attackers - it was worms running on other systems that had reached critical mass and were just hitting random IPs on the internet with the exploit in an attempt to infect more systems.

You're extremely unlikely to see something this bad with a modern OS - most of the time you're behind a NAT, provided by your router or your mobile provider which effectively blocks inbound connections. There's also exploit mitigations like NX and ASLR which are pretty much how the Stagefright bug didn't turn into a nice new MMS worm - it just sounded scary, but over a year later we've not seen any major attacks from it.

If you plug directly into the internet or DMZ your machine, you'll still see this type of stuff. I've heard it called "internet background radiation" - old worms out scanning for possible targets to this day.


It may sound crazy, but I did suffer from it myself. My Windows XP installation was guaranteed to be infected by the worm, because like you said, without any interaction (I didn't even open up the browser, to make sure I was not crazy), the Blaster worm was often sent from somewhere in the Internet during the installation procedure. Even if it wasn't, there was not enough time for me to run Windows Update before my computer being infected, because the infamous "your computer should restart now" message always displayed several minutes after the installation was done. So back in the days, I always made sure to turn off the DMZ before reinstalling Windows XP.

You could check how frequent the attacks were by yourself. I was using a custom firewall software, called ZoneAlarm, to see how many attacks I was receiving in a day. The log said literally every few minutes, the infectious Blaster worm packet was received. It was like how frequent your SSH server is attacked with random passwords - you can see this from the SSH server log too.


> So back in the days, I always made sure to turn off the DMZ before reinstalling Windows XP.

Why did you turn it on in the first place?


Some people are too lazy to individually forward ports (I am guilty of this in the past myself)


Dial up and early high speed internet both gave you a public IP address. The expectation you will have multiple internet devices is more recent behind a nat is more recent. And yes I dealt with an XP box that would get compromised before you could download the update.

Windows even included a utility to let people use it as a router on home networks to "share internet connections". https://support.microsoft.com/en-us/help/310563/description-...


They still give you public IPs no? I get that at least on my fiber connection. It's even permanent.


The router has 1 public IP, but your PC/iPad etc are all behind NAT.


Ah you cute youngling.

https://en.wikipedia.org/wiki/Blaster_(computer_worm)

At the peek couple of months your computer would BSOD _during_ installation process, right after initializing network interface and RPC service.


There are others posting here but dropped in to also confirm that I firsthand witnessed this.

I had a single device and had to do a fresh install from factory settings. This meant I had about 30 mins before my 500kbps connection would grind to a crippling halt from all the accumulated malware.

This meant I had to incrementally procure protection, save it, then fresh install and repeat until I could access the Internet safely.

I don't miss those days.


I remember when this was happening: https://en.wikipedia.org/wiki/Blaster_(computer_worm)


It may sound crazy, but I've heard of honey pots getting attacked in minutes many times.

Two minutes is probably too short, but an hour? Maybe not.


Same thing applies today. Just fire up a DO instance and tail -f access.log

You will see random scanning attempts within minutes. Same principle , minus the effectiveness.


On my custom blog running on ASP.Net/Azure, I constantly see people trying to hammer WordPress admin urls.


I worked at Microsoft as a contractor for a year during the Windows XP Service Pack 2 days. Blaster was so bad that even bringing up a new machine at Microsoft, you had to install patches from a CD that was passed around our team. If you installed Windows while connected to the corporate network, you would see errors start to happen a few seconds after the network interface came online.


I also had this happen 'live', one of the major problems as I recall was that Windows XP (and earlier) had the bad habit of enabling a ton of internet facing services by default, and these services contained lots of vulnerabilities so you didn't even have to manually 'go online' using a browser or some such in order to be infected.


> people are often behind NAT

Today, yes. But back in those days? I'm not so sure. IIRC, almost everyone had a public IP.


Because it was real? It was infected computers scanning, not people. Once infected you joined the group scanning random ips and it grew like you would expect it to.

At the peak it got so bad that IPSs were blocking affected ports on all consumer connections just to save bandwidth.


This happened to me. I left a new XP pluggged in, behind a nat, and first thing in the morning I had a virus.


People in this thread don't remember the NET SEND spam from Windows Messenger. (Which was a system service and had absolutely nothing to do with MSN Messenger)

You could basically do "NET SEND 12.34.56.78 my spam message" and it would appear on the screen of your victim.

http://blogopod.com/image/2008/net-send-spam-big.gif


Actually I liked that feature. We used to chat with each other using it when I was in school. It was definitely a right choice for Microsoft to disable the Messenger service, but I was a bit sad when it actually happened.


You can still do that using msg.exe




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: