The Internet Is Constantly Looking
Many people imagine cyberattacks as targeted events where hackers discover a company and decide to attack it.
The reality is often far less personal—and far more automated.
To demonstrate this, we recently placed a FortiGate firewall online and monitored what happened from the very first second it became accessible on the public internet.
The results were startling.
The Timeline: From Deployment to Discovery
02:34:11 – Firewall Goes Live
A FortiGate firewall was connected to the internet and immediately began logging inbound connection attempts.
At this point, no announcements were made, no DNS records were published, and no effort was made to attract attention.
The device simply existed on the internet.
02:34:11 – First Scan Arrives Instantly
Elapsed time: 0 seconds
The very first connection attempt arrived at the exact second the firewall was activated.
- Port: 23 (Telnet)
- Source: Microsoft-owned IP address
Whether part of a security research project, cloud infrastructure monitoring, or internet-wide scanning activity, the key takeaway is simple:
The firewall was discovered immediately.
02:34:13 – HTTPS Management Port Found
Elapsed time: 2 seconds
An online scanning service identified port 8443, a common web management port.
Source:
- Stretchoid scanner
Just two seconds after deployment, automated systems were already checking for web-based administrative interfaces.
02:34:16 – SSH Probed From China
Elapsed time: 5 seconds
The first attempt against port 22 (SSH) arrived from a Chinese IP address.
SSH remains one of the most frequently targeted services on the internet because it provides remote administrative access.
Attackers and researchers alike continuously search for exposed SSH services.
02:34:17 – Standard HTTPS Access Attempt
Elapsed time: 6 seconds
An inbound connection targeted port 443 (HTTPS) from an IP address located in the Netherlands.
This demonstrates that internet-wide scanning activity is globally distributed and not limited to a single country or region.
02:34:25 – Another Management Interface Check
Elapsed time: 14 seconds
Port 8080 was contacted by the Shadowserver scanning project.
Port 8080 is commonly used for:
- Administrative web interfaces
- Proxy services
- Application management consoles
By this point, multiple independent scanning systems had already identified the new device.
Three Hours Later: Specialized Product Scanning Begins
05:34:17 – FortiManager Discovery Attempts
Elapsed time: 3 hours
The first connection attempts targeting port 541, commonly associated with FortiManager communications, were observed.
Sources included:
- Driftnet.io scanners
- Bulgarian IP addresses
- Stretchoid scanning infrastructure
This is particularly interesting because it suggests more focused reconnaissance.
Rather than simply checking whether a host exists, these scans appear to be looking for specific Fortinet-related services.
What This Tells Us About the Modern Internet
The most important lesson isn’t that the firewall was attacked.
It’s that the internet noticed it immediately.
Within seconds, the core ports are enumerated:
✅ Telnet was checked
✅ SSH was checked
✅ HTTPS services were checked
✅ Alternate management ports were checked
Within hours:
✅ Vendor-specific services were being probed
This wasn’t a coordinated attack. It was the normal background noise of today’s internet.
The Myth of “I’ll Secure It Later”
One of the most dangerous assumptions in IT is:
“We’ll put it online now and lock it down later.”
The data above demonstrates why this is risky.
By the time an administrator finishes opening a browser tab to begin configuration, automated scanners may already have:
- Identified the device
- Recorded open ports
- Fingerprinted services
- Added the IP to monitoring databases
Exposure windows are measured in seconds, not days.
Why Scanning Happens So Fast
Modern internet scanning is highly automated.
Organizations around the world continuously map the internet for purposes such as:
Security Research
Researchers monitor exposed services to understand trends and vulnerabilities.
Threat Intelligence
Security companies collect data about internet-facing systems to identify emerging threats.
Asset Discovery
Organizations scan the internet to identify systems that belong to them.
Malicious Reconnaissance
Attackers search for vulnerable services before launching exploitation attempts.
The same scanning techniques are used by both defenders and adversaries.
Key Takeaways
- New internet-connected systems are discovered almost instantly.
- Common management ports are scanned within seconds.
- Scanning activity comes from all over the world.
- Vendor-specific reconnaissance follows shortly afterward.
- There is no safe grace period after deployment.
Final Thoughts
The internet is less like a quiet neighborhood and more like a brightly lit city intersection under constant surveillance.
The moment a new device appears, countless automated systems begin asking questions:
- Is Telnet open?
- Is SSH available?
- Is there a web interface?
- Is this a firewall?
- Is it vulnerable?
In this case, the answers started being sought within the same second the firewall came online.
For security teams, that’s a powerful reminder:
If a service is exposed to the internet, assume it is being scanned immediately. Because it probably is.
About the Author
