The past two years have seen a significant number of attacks announced affecting IoT devices. One of the biggest that made headlines was the leak of a list containing ~8000 telnet-accessible IoT devices  with mostly valid login credentials and corresponding ip addresses (Mirai is partially to blame). The release of such lists are almost always dubbed as bad because anyone with access to the list can start owning those devices. Once a nefarious individual does so, those devices can be added to a botnet under their control, become a c2 node, used as a vpn hopping point, or a place to stage remote attacks (but really, likely all of the above).
At the time of writing livesshattack.net has undergone ~8.2M ssh attacks to date. However, when parsing out the passwords used in each attack, the resulting list only amounts to ~187k unique passwords. A surprisingly small number - that can only be summed up by that livesshattack.net has been hit with a number of repetitive, similar brute force or dictionary attacks. Speaking of dictionary attacks, let's compare livesshattack's unique password list to other popular password lists on the internet.
Back in March of last year I wrote about a whopping 1M SSH attacks within 3 months time on my New York based VPS from Digital Ocean, many of which came from infected public facing routers, servers, and other devices. By collecting data from these attacks, although only having a single probe, it enables us to guesstimate a real-time view of SSH attacks on the internet's infrastructure.
These are the top 100 most common passwords that have been used to attack my VPS at Digital Ocean over the past 9 months. They are arranged from highest to lowest frequency starting from the top.
I have a few VPSs over at Digital Ocean. They are, and have been, a great cloud vm provider for hosting small projects. Check them out here or via my referral link here. Anyway, to get to the real matter, Digital Ocean is a hosting company with many data-centers, which means they own IP space. Who owns what IP space is almost always public data. If you do a little digging you can usually obtain this information fairly easily. If you do a whois on digitalocean, you get the following:
Like everybody else, I wanted to generate traffic to my new site. So I posted to hackernews, opened up htop on my, at the time, 512MB Digital Ocean droplet, and kept a close eye on my live visitor feed from google analytics. I wasn't expecting much, especially at 11pm at night.