Since 2009 I have collected intrusion attempt data from hackers attempting to break into my computer(s), These include attempts to gain admin access, post spam, corrupt the database, gain root access to the server, gain access to my accounts and a myriad of other intrusions.

Figure 1: Worldwide Distribution of Total Intrusions since 2009

Of all the countries worldwide participating in these intrusions, the one country that stands out far and above the others for the sheer number of attempts is China.

Figure 2: Total Number of US and Chinese Intrusion Attempts since 2009

An intruder gets blocked when:

  • they attempt to directly log in to the server
  • they try use web script exploits to break into my website
  • they try to access restricted admin features
  • they attempt to connect from a blocked country
  • they attempt to access non-existent services
  • they attempt to post spam
  • they attempt to use my mail server to relay spam messages
  • and many more…..

I store these results in a database to which I can then ask data mining questions like

  • how many attackers came from China? (likely a lot)
  • how many attackers came from Antartica last week?’ (I doubt there were many)

The charts on this page also update regularly as people continue to try and break in.

The figure above shows how many raw attacks have occured. These numbers are large since some hackers try to attack over and over again (sometimes as many as 65,000 times). Another way to examine the data is how many distinct hackers have attempted to break in. This number is always smaller since typical attackers try many times. For example, a single user from Hong Kong tried over 65,000 times to guess a password while trying to log into my server. That one attacker could be counted once as an attacker, or he (or she) could be counted 65,000 times as attacks.

Figure 3: Total Number of US and Chinese Intruders since 2009

This chart is much more revealing. Here we see that the US has only intruders whereas China has .

What could be on my site that is so intriguing for these people? Absolutely nothing. Yet they persist. And I continue to gather information about who they are.

What they are likely more interested in is not the contents of my server, but what they can potentially do with my server. If they were to gain control of my server then they could use it to launch attacks on other more lucrative websites while hiding their identity behind my server. If they get caught, the trail would lead to my front door and not theirs should they clean up their tracks leading to me. I know I do not relish a visit from the FBI over the actions of someone else likely located in China.

Whatever the reason is for their wanting to break in the truth is I don’t want it to happen. So I block them.

The first chart above shows the total number of these blocked connection attempts with China at attempts and the United states at attempts. However as I described earlier the total number of intrusion attempts does not tell very much about the number of intruders.

An intrusion attempt typically includes many repeated attempts from the same source. This is particularly true for SSH (user acocunt login) password guessing, although my server does not accept password logins at all, this still does not deter the intruder from trying thousands of times.

For China and the United States, the total number of ssh intruders is:

Figure 4: Total Number of Distinct US and Chinese SSH Intruders since 2009

Even with only looking at this explicit attack traffic, China still leads intrusion attempts over the US with attacks to . These are absolutely hackers attempting to directly break into my servers.

However you might ask why are these numbers close? The most likely reason is probably that many of the US attackers are controlled and launched by Chinese hackers that have taken over a US system. For the most part the servers involved belong to US based ISPs that let users sign up for a free 30 day trial. These let hackers freely launch attacks from local US systems. Amazon is an example of such a service, but there are many others, a number of them in Texas. Typically you can tell who these ISPs are by the ‘cluster’ effect their IP addresses make on the hacker location maps.

Using local US servers gives the Chinese hackers the ability to launch US based attacks against a US system a lot faster than if they attacked directly from China. It also allows them some degree of anonymity since I see the attacks originating from Oregon or some other Amazon location. Chinese hackers also bypass any Chinese systems monitoring their behavior although from the number of attacks launched from China directly I don’t think their authorities really care very much.

It is entertaining to see which countries harbor the largest number of attackers. China still wins though no matter how much they might want to claim innocence. And until such time that the government of China actually attempts to reduce these intrusions I will happily continue to block them. All of them.

Watching the news reports recently it seems that reporters and their sources are starting to notice that China and a few other countries like Russia and the United States represent by far the largest number of cyber attacks. I include the United States because my years of accumulated data show that servers operated in the United States are just as guilty of allowing these attacks. Perhaps if the ISPs offering free server trials reviewed their policies, their network access rules and improved their firewall rules they might end up contributing to the solution and not contributing to the problem as many do now. But that appears to be wishful thinking. Also with the recent increase in poorly designed IoT devices providing bot access to the hackers the United States looks like it will be a significant attack contributor for quite some time.

I must point out though that when I identify a country I am not necessarily indicting the government of that country. The governments may have created an environment making it easy to launch attacks, but that does not necessarily mean that the government itself launched the attacks. Conspiracy nuts are everywhere and will likely point fingers at the the government itself instead of urging the government to tighten up its regulations.

If the attacks were sanctioned by governments I would have expected the caliber of the attacks ito be a lot better than they are now, They would be more like Stuxnet. Most attacks, as I would say in my humble opinion, are ludicrously juvenile and indicitive of an IQ no higher than a turnip. It is more likely that the environment allows more people to get away with the attacks. Is this permissiveness sanctioned by their government? I have no clue.

I have on occasion noticed a few attacks that have shown some intelligence, but those could just as easily been from criminal organisations and not the governments themselves. Those attacks are ones such as co-ordinating attacks simultaneously from multiple sources (from multiple countries) that then try to use feedback from one attack to affect the behavior of another attack. Other attacks with some intelligence use social engineering, meaning they know something about their target and try to use that to break in (yes I was born in California, I have lived in Canada, spent time in Hong Kong and Japan, I have travelled the world, my dog when I was in high school was named Gus and he was a basset hound….), but very few attacks are of this caliber on my site. This is likely because the attackers have no idea of who their target is, They just see me as an IP address and launch generic dumb attacks.

Does this mean my site is safe? Absolutely not! It could be compromised at a moments notice by either a mistake I make, a software hole that is discovered, or the hardware deciding to go “blip” at the wrong time. But when that happens I will shrug, take out the installation DVD and wipe the system clean and start again. Annoying to say the least, but ultimately recoverable. Let’s just hope I don’t have to do this anytime soon. In the meanwhile, I’ll just keep blocking them.