We are running a network of security probes that are collecting data about attacks ranging from simple port scans to actual attempts to break into systems. We use this data to filter addresses on the Dynamic Firewall and protect our Turris routers. We also display various statistics in real-time on our Sentinel View. Apart from that, we publish this monthly newsletter with statistics that are more complex to compute, and we are taking this opportunity to put the data we have collected into perspective.
In December, we saw attacks rise globally. It could be related to the holiday season when hobbyists joined the usual group. What seems odd is that attackers are testing more sophisticated passwords lately. We dug into our data deeper regarding passwords like 68ktW79z1U. We suspected that it might be just one device that acted out or one attacker that got an unusual wordlist. However, the password had been recorded by multiple routers, and attacks came from multiple IP addresses. What is more, the IP addresses even span multiple countries and continents. So, it seems like a regular attack after all.
There is also a spike in the popularity of previously not so abused ports, like 11000, used by old Cisco devices. This might suggest that attackers are trying to find outdated routers again.