Hacker Newsnew | past | comments | ask | show | jobs | submit | djkurlander's commentslogin

Thanks. I'd like to better understand the origin of DO's bot activity, and look forward to your report!

reply


It has been 24 hours since this post went up, so here are some fun stats.

During this time, there were 13,024 knocks on the server from 368 unique IPs. That's ~35 knocks per bot.

During this time, thanks to Hacker News, there were 23,556 visits to knock-knock.net by 15,946 humans. That's ~1.5 visits per human.

So in the last 24 hours, we actually had nearly twice the number of human visits than bot visits, and 368 bots put on a show for 16,000 humans!

reply


Ah, that makes sense. I’ve been wondering why DigitalOcean has so much of the bot traffic.

reply


Thanks for pointing that out. T-Pot is cool and a more general honeypot framework. Potentially I could have built knock-knock.net on top of T-Pot.

reply


Fail2ban would cut down on the noise quite a bit. I’ve installed it on other servers and have recommended it to others. But then we wouldn’t have all of this beautiful bot traffic to visualize.

reply


My understanding is that they are a more general purpose data collection, and visualization framework. Potentially you could build something like this with that software, but they do not have knock-knock.net’s functionality built in.

reply


Sadly? Intentionally! The IP is hiding behind Cloudflare mainly to make it much harder for the bots to figure it out. Blocking you from messing with the stats is just icing on the cake. :-)

reply


I don't think hosting the site behind Cloudflare will affect the number of SSH brute-force attempts, these bots are just brute-forcing the entire IPv4 space aren't they?

reply


Exactly right. I just didn’t want the bad actors to know my own IPv4 address so that they might try to cause havoc or treat my site differently.

reply


Roger.

And cool project btw.

reply


!!!

Good luck trying to log in via port 22. The real ssh port is located elsewhere and doesn't accept passwords. :-)

reply


…but if it did accept a password it would be 12345.

reply


Some of the passwords definitely come from leaks, but adding 123 or 2026! to the end of a frequent username is a surprisingly common pattern. Lots of suffix variants: 123!, 2025, 2025!, @2025, @123, etc. In fact, the Trivia pane of knock-knock.net points out when the password is just the username plus a suffix.

reply


I'm reporting the bots that have visited to abuseipdb once per day, but yeah, there should be a free alternative. You aren’t the first person to have asked for this.

It would be trivial to write out a file that people can grab for free. What do you think would make the most sense? Plain text file, one ip per line, of offending ip’s within the last month? Or year? Or a .csv with the dates included? Generally I’m a big fan of simplicity.

reply


Plain text file one IP address per line works for me. Simplicity for the win.

Within the last month is probably enough. If I was consuming it, I'd add each monthly list to a database so I can build up my own 12-month (or whatever time frame suits me) list over time.

Or, publish one list for the last month and one list for the last 12 months.

Keep up the great work!

reply


OK - thanks for the excellent suggestion. It's now implemented (just two SQL queries that will run as a cron job every night). You can grab the month and year offending ip blacklists this way.

wget https://knock-knock.net/static/ip-blocklist-month.txt

wget https://knock-knock.net/static/ip-blocklist-year.txt

reply


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: