Where's your 4^32 coming from? There are only 2^32 ipv4 addresses. You may be right that the first wave would just target port 22 and the second 2222 and so on, an actual attack would probably have some interesting implementation details besides that too for pruning or host retry or something else.
Why do you think at minimum you would have weeks? Run the numbers for botnets of various sizes with a measly 10 Mbps network connection each, it doesn't look very good. Under normal circumstances yeah port 26432 is no more likely to be hit than any other high port, but an ssh 0day bypassing authentication is an incredibly valuable exception where now trying everything can be worth it for a little while.
Yeap I need to coffee before I try to math, not sure how I got to 4^32.
Thats an interesting point - I wonder if anyone has the numbers on how long it would take to poke each tcp port on each IPv4 address? or has done it?
One could argue that with an SSH 0day you'll infect 99% of hosts by hitting port 22 alone, and the 65000x effort required to find the others is of marginal return. A counter-point to that is that you may find some more interesting systems hanging out on other ports - less home routers and more boxes used by people who changed the default port as the kind of "hardening" procedure we're talking about in this thread.
Why do you think at minimum you would have weeks? Run the numbers for botnets of various sizes with a measly 10 Mbps network connection each, it doesn't look very good. Under normal circumstances yeah port 26432 is no more likely to be hit than any other high port, but an ssh 0day bypassing authentication is an incredibly valuable exception where now trying everything can be worth it for a little while.