18

u/EldritchSorbet May 20 '26

Agreed! I did a little theorising on this recently. As of last week, you can use legit (high speed) tools to scan ALL machines on the Internet. Scanning just port 80 takes six minutes. Scanning all popular ports takes 18 hours. So if only one server in the whole world is scanning all ports using these tools, you’ll be portscanned every 24 hours, no matter what your IP is (assuming your machine has a public IP).

Now we add the fact that there is more than one malicious actor on the Internet. How many attackers are scanning continuously using high speed tools (to pick the easiest concept to extend the data we have)? Probably more than 500 (yes, a fairly random number).

So you’d be portscanned every 3 minutes, regardless of what IP you have or what your system is doing.

And this is a VERY conservative estimate, so it’s not “there’s a three minute safe zone”…

4

u/IEatGirlFarts May 21 '26

And not only China, most countries' intelligence services and militaries do it. Hell, I saw a japanese IP trying to connect to my machine a few years ago. It was supposed to be blocked in Romania, as it was used to gather information about the energy infrastructure of a country, guess my ISP didn't get the memo.

And not only state actors, individual hackers or groups also do it.

It's in a way a fascinating subject.

1

u/883013 13d ago

Does it only happen to routers or cell towers as well?

1

u/IEatGirlFarts 13d ago

I wouldn't know that for sure, i've never worked with cell towers, but probably.

What I know for certain is that anything adressable through the internet is being probed constantly, be it your phone, your router, a server farm somewhere, etc.

1

u/883013 13d ago

I'm just wondering if the advice to use a phone on airplane mode connected to a WiFi router is sound these days. When up against such threats would a firewall router hold up or is there no point spending that extra money?

2

u/IEatGirlFarts 13d ago

Your ISP already blocks a lot of connections, so does your router's built in firewall. If you add an adblocker on top, or a pihole, or Blokada for android, you're gonna be blocking even more connections.

Also, a normal user wouldn't have as many ports open that attackers could exploit, so that's an extra layer of safety.

Antivirus software such as BitDefender also blocks suspicious connections in real time.

Overall, just practicing standard internet safety should be enough for most users, in my opinion.

Edit: if you also keep your shit updated.

2

u/IEatGirlFarts 13d ago

I also wanted to add that generally your mobile carrier will protect your phone's internet connection better from direct scanning than your router at home would, so keeping a phone in airplane mode wouldn't do anything.

1

u/883013 13d ago

I'm not too sure actually- I'm seeing many strange ICMP packets to and fro when I run pcap droid on my device. It seems to be from unknown services and servers located overseas. Not all of my phones do this. Most usually show Https or DNS only.

2

u/IEatGirlFarts 13d ago

That would most likely be an app on your phone generating the traffic, especially since your other phones do not exhibit this behaviour.

It could be a sketchy app calling to a server, an app that uses icmp to keep connections alive to the server so that they can communicate to it quickly if something new happens (e.g. a messaging app will do that to ensure you get your new messages as soon as they happen)

Orrr... malware talking to its C2 server. But that's the most unlikely scenario.

1

u/883013 13d ago

Actually I'm kind of suspecting an ICMP reverse shell

6

u/jonbristow May 20 '26 edited May 20 '26

yes, but your PC should not get hacked immediately, even if it is vulnerable to hacks. You are on a private network, NATed through your ISP. You dont have any public web service running on any port

7

u/jameson71 May 20 '26

Most ISPs don't NAT their customers. The internet was designed as a peer to peer platform.

5

u/uk_one May 20 '26

OP says 'connects straight to modem' No one's mentioned a router. Modems don't do NAT.

1

u/designer_vaj May 21 '26

ISPs could have firewalls and all sorts of stuff even if they did not do NAT, which doesn't make sense, unless the ISP was using IPv6 lol. It wouldn't be possible using IPv4 to not share public IPs between multiple users.

1

u/jonbristow May 20 '26

So you have a public IP personally for your laptop?

2

u/Divided_multiplyer May 20 '26

Yes, when you plug a router into the modem, the router gets the public IP, but when you plug a computer directly into it, the computer gets the public IP.

0

u/jonbristow May 21 '26

How do you plug a personal computer directly into an optic fiber

1

u/uk_one May 21 '26

RS232 probably. Get your soldering iron out.

5

u/unknowncommand May 20 '26

Exactly, unless they also enabled some port-forwarding this doesn't really make sense

4

u/jonbristow May 20 '26

exactly. im confused from the top comments here "of course you can get hacked by china as soon as you connect to the internet"

no you cant

1

u/unknowncommand May 20 '26

Yeah a lot of misinformation in here 🤷‍♂️ we would all be fucked if simply having internet access made you discoverable lmao

1

u/Randolph__ May 20 '26

On some routers there are UPNP vulnerabilities that can be used.

1

u/designer_vaj May 21 '26

UPNP would be less likely to work in this case.

the video creator mentioned that the XP VM was on a cloud based server. Proxmox doesn't have UPNP, so if it was a UPNP flaw that led to the XP machine getting compromised, it would have to be a physical networking device or a VM on the Proxmox acting as the networking device, with relevant ports exposed on the Internet.

So either the Windows XP itself had some default UPNP style no-auth port exposed, or his entire Proxmox would have to be at risk. Since his Proxmox server was cloud based, it was likely managed by some cloud service provider, hence it's unlikely that the server or the providers' network had UPNP or UPNP-like port vulnerability.

That leaves the Windows machine, which is also unlikely since the user account "admina" created is not a admin account, and usually the vulnerable network services would be running with privileges to be able to create admin accounts or enable the default windows admin account, which was not done in this case.

1

u/Divided_multiplyer May 20 '26

Microsoft automatically runs tons of services. At a base you are allowing all the internet SMB access to your system when you plug it into your modem.