analysis of the internet census data nixu october 2013
DESCRIPTION
pdfTRANSCRIPT
Analysis of the Internet Census dataThe Finnish Cyber Landscape
October 2013
2Analysis of the Internet Census data October 2013
Contents
1 Foreword ..........................................................................................................4
1.1 Disclaimer ..............................................................................................4
2 Analysis Summary ............................................................................................5
2.1 Unencrypted protocols ...........................................................................6 2.2 Web interfaces .......................................................................................7 2.3 SCADA ..................................................................................................8 2.4 The vulnerability landscape .....................................................................8 2.5 Recommendations .................................................................................9
3 Operating System analysis ..............................................................................11
3.1 TOP-20 all fingerprints ..........................................................................12 3.2 Linux kernel versions ............................................................................13 3.3 Windows versions ................................................................................13 3.4 Firewall / Switch / Router devices ............................................................14 3.5 Home router devices ............................................................................14 3.6 Printer devices .....................................................................................15 3.7 Possible SCADA systems .....................................................................15
4 Port analysis ...................................................................................................16
4.1 TOP-40 port list ....................................................................................17 4.2 Ports open, counted by hosts ..............................................................18 4.3 Database ports ....................................................................................21 4.4 Unencrypted protocol ports ..................................................................21 4.5 Management interface ports .................................................................22 4.6 Proxy ports...........................................................................................22 4.7 Denial of service ports ..........................................................................23 4.8 Printing ports ........................................................................................23 4.9 Other sensitive ports ............................................................................23 4.10 Firewall data comparison ......................................................................24
3Analysis of the Internet Census data October 2013
5 Serviceprobe analysis .....................................................................................25
5.1 Www – Generic Web-servers ...............................................................26 5.2 Www – Embedded servers and network router servers ........................27 5.3 Www – Firewall, proxy and management servers ..................................27 5.4 Www – Printer servers ..........................................................................28 5.5 Www – Media and surveillance servers .................................................28 5.6 Www – Possible SCADA-related servers ..............................................29 5.7 FTP Servers .........................................................................................29 5.8 SSH Servers.........................................................................................30 5.9 Telnet servers .......................................................................................30 5.10 SMTP Servers ......................................................................................31 5.11 DNS Servers ........................................................................................31 5.12 IMAP Servers .......................................................................................32 5.13 SNMP Servers......................................................................................32 5.14 MS SQL Servers ..................................................................................33 5.15 MySQL Servers ....................................................................................33
6 Vulnerability Analysis .......................................................................................34
7 References .....................................................................................................35
4Analysis of the Internet Census data October 2013
1 Foreword
A huge amount of data titled Internet Census 2012 was released earlier this year. It was acquired with a botnet named Carna between June and October 2012, which used insecure embedded devices to scan the Internet:
Overall Internet Census 2012 project information:
The data contains a lot of different scan information, like open ports, trace routes, reverse DNS queries and much more. This information provides an overview of what the Internet looked like during the time period. This data was made publicly available through the BitTorrent network. We at Nixu decided to take a look at the data from a Finnish viewpoint and this report covers the results of this analysis. Main data items we considered interesting was operat-ing system statistics, TCP port statistics and the results of some service probes which contain the actual server responses. In addition it provided a view into systems and services which should not be directly available from the Internet.
There were 13,782,236 Finnish IP addresses in our list. We isolated data associated to these IP addresses from the complete data set. This subset was further processed and analyzed to generate statistics and draw conclusions. No correlation was done between the analyzed data sets. Analysis was done by Nixu’s Security Intelligence and Research team (Nixu SIR).
1.!1 Disclaimer
Even though the data has been acquired unethically by hacking into devices and utilizing these for scanning the Internet, doing analysis on data released to public domain should only be viewed as a research exercise.
We think that the data is likely authentic, but there are no guarantees it is not manipulated or crafted. Also note that properly firewalled servers are not included in the data. We do not have any supporting numbers available on the total amount of Internet-connected devices that could have been fully firewalled or shut down during the port scan activity, which could have added to the analysis as another way of indicating the network posture.
When viewing this report, bear in mind that it is based only on the publicly available data, accurate or not. Even thought the scan has been done some time ago, we do not believe the overall picture has changed that much.
420 MILLION IP ADDRESSES THAT RESPONDED TO ICMP PING AT LEAST TWO TIMES BETWEEN JUNE 2012 AND OCTOBER 2012.
5Analysis of the Internet Census data October 2013
2 Analysis Summary
Finland is said to have one of the cleanest network environments, at least in terms of malware infections. However, there are potentially serious weaknesses in the Finnish cyber landscape.
A basic network reconnaissance provided by the Internet Census scan revealed that most of the over 500.000 hosts scanned have a relatively healthy number of ports open (94.6%).
This means the attack surface is smaller with these hosts, but still there are tens of thousands of Internet-connected hosts with practically “open doors” for attackers. All these contribute to the available attack surface a potential attacker can try to utilize. Whether it is a common ADSL router used by thousands of end-users or one corporate printer sitting directly on the Internet, security could potentially be compromised.
The Internet Census data can be used as a valid source for reconnaissance intelligence into services running at governmental entities, industries and organizations, without the need to actively probe their networks.
An attacker could for example map the services used across the globe to enable global exploitation of widely used and vulnerable services. He could also pinpoint one single Internet-connected device to use as an entry point into the selected target organization.
We believe that the scan revealed just the tip of the iceberg of the weaknesses in Finnish networks in overall when taking into consideration also the application-level vulnerabilities. Nixu has done hundreds of security assessments of systems owned by different organizations and governmental entities and our findings support this conclusion. Four in five systems we have assessed have multiple vulnerabilities that for example allow bypassing access con-trols which leads to unauthorized access of confidential data.
This in essence means that there are thousands of Internet-connected devices and information
systems that are prone to eavesdropping, information gathering and other abuse even with
a limited hacking skill set.
Healthy amount of open ports (4 and less)
OK (481 692)
Not OK (27 697)
5.44 %
94.56 %
6Analysis of the Internet Census data October 2013
The perimeter security is usually on a good level but when inside, things tend to get worse. On technical level the focus still tends to be perimeter-centric revolving around firewalls and intrusion detection systems and such. Vulner-ability management, system hardening and application-level security should be bolstered. Perimeter defense alone isn’t sufficient to protect against cyber threats.
Organizations should take the time to verify their Internet exposure. Regular scanning of own networks and taking action based on the results is a recommended practice.
It is worth mentioning that the data has been collected during the period of five months and analyzing this amount of data takes up resources, even with limited scope. The following chapters take a deeper look into some of the identified problem areas.
2.1 Unencrypted protocols
There is a relatively high number of devices running unencrypted protocols like FTP (File Transfer Protocol) and Telnet. If these insecure methods are actively used to transfer files and manage systems, they make it possible for an attacker to capture authentication credentials from the wire.
The likelihood of the credentials being captured is significant when establishing connections from another country, in light of the latest NSA revelations. For example, United Kingdom’s GCHQ captures all traffic passing their Internet exchange points and France does their own monitoring. One of the largest European Internet exchange points is located in Germany. The FRA in Sweden is in essence capable of monitoring all of the outbound Finnish Internet traffic and it has been revealed that they provide access to NSA.
If, for example, governmental systems like Internet-facing routers have been managed abroad using unencrypted protocols, it could have enabled a nation-state actor to utilize the information for malicious purposes like espionage. Access to a router can help gaining access deeper into the governmental network or altering the route outbound traffic takes.
The same applies to other ports used to manage servers, like the Windows RPC, NetBIOS and SMB ports, the Terminal Services and VNC remote access tools. The Terminal Services and some VNC versions can use SSL to encrypt the traffic, but having these open to the Internet makes them prone to brute force attacks.
FTP is a good solution to use if it is used only to serve public files anonymously.
Selection of port types Secure mgmt (83 494)
Insecure mgmt (90 874)
Insecure FTP (67 286)
Proxy ports (17 760)
Databases (7 650)
Printers (2 777)
30.94 %
33.68 %24.94 %
6.58 %
2.84 %
1.03 %
7Analysis of the Internet Census data October 2013
2.2 Web interfaces
Other important targets are the web-based management interfaces. We do not refer to typical web servers, but the web interfaces provided by different embedded devices, printers, routers, surveillance devices etc.
After a successful installation of a product, no additional configuration hardening is usually done to the device, leaving for example the web-based management interface listening on all possible network interfaces. When the device is directly connected to the Internet, with specific device types probably by mistake, it enables anyone on the Internet to connect to the offered resources.
Such unconfigured devices can have vendor’s default administrative credentials, unwanted services like Telnet and SNMP (Simple Network Management Protocol) and many other issues in place. In worst case there is no pass-word set at all. The web-based management interface can also have exploitable vulnerabilities just like typical web applications do.
The interfaces can enable an attacker to gain foothold on the device and information stored on it. For example cer-tain printer models often have a hard disk which stores the printed documents for a period of time, which can give the attacker access to sensitive documents. In addition devices offering SNMP by default with known community strings can give an attacker a wealth of information regarding internal network configuration and listening processes to use in further attacks.
If an organization has networked security cameras or video conferencing systems open for all to use and spy on, it offers many new intelligence gathering methods and attack vectors to a malicious party.
Operators selling broadband and Internet services to organizations and consumers many times have their own pre-ferred devices and brands they offer. It can be that many of these devices offer the interfaces by default, which the seller and buyer are not aware of. Another possible reason can be that buyers get the devices directly from retailers and lack the needed know-how on setting up the devices in a secure manner.
Eventually having foothold on an unconfigured device can lead to a situation where the attacker is
able to modify and use the device to penetrate deeper into an organization network. This can lead
to sensitive information and IPR leaking into the wrong hands.
Web servers Generic (275 000)
Embedded/Router (38 000)
Management/FW/Proxy (6 500)
Media/Surveillance (5 000)
SCADA (4 100)
Printer (1 700)
83.26 %
11.51 %
1.97 %1.51 %
1.24 %0.51 %
8Analysis of the Internet Census data October 2013
The discussed unencrypted protocols, SNMP and web interfaces contribute the most to the available attack sur-face. Most of the already discussed TCP ports, based on our half-year firewall data analysis, are in the TOP-10 what attackers are looking for. The attackers probably try to find services offering a login possibility, which can then be attacked with dictionary and brute force password guessing attacks.
2.3 SCADA
There appears to be ICS/SCADA related devices directly connected to the Internet. Even though the num-ber is not very high, an attacker can utilize for example the Internet Census or Shodan search engine (http://www.shodanhq.com/) data for initial reconnaissance to find desired targets.
The devices might be serial device servers, Ethernet-to-Serial bridges, Serial-to-IP converters, communication processors, building management systems, embedded controllers, environmental controllers, data loggers and automation systems which can control different types of processes, energy and drive engineering.
The products can have exploitable vulnerabilities, hard-coded passwords and default configurations that are exploit-able by an attacker. These can help gain access to the environment or cause substantial damage to whatever the devices are controlling.
Obviously such systems should not be directly placed on the Internet.
2.4 The vulnerability landscape
Vulnerability is a flaw in computer software or configuration which, if exposed, allows an attacker to exploit it for unintended consequences. Such unintended consequences can for example be a crash of the software, execution of attacker-provided code with the privileges of the affected process or unauthorized access to data.
We provided the Nixu Watson vulnerability management service (http://www.nixu.com/en/solution/nixu-watson) a list of extracted service banners for many of the vendors in the TOP-lists presented in Chapter 5. The services we focused on were FTP (file transfer protocol), SSH (Secure Shell), SMTP (Simple Mail Transfer Protocol, DNS (Domain Name System), DB (databases) and WWW (Web servers and additional web server components like PHP).
The above chart shows the amount of unique vulnerabilities Nixu Watson discovered based on the banner versions. There were potentially 326 High-level, 577 Medium-level and 82 Low-level vulnerabilities present in the list of 693 different software versions. (See Chapter 6 for more details)
High (326)
Medium (577)
Low (82)
Total amount of CVEs
33.10 %
58.58 %
8.32 %
9Analysis of the Internet Census data October 2013
Another troubling discovery is that there are databases, the crown jewels for many, directly open to the Internet. A well configured and hardened database that is kept updated may be relatively secure, but in our opinion it is still not an advisable practice.
HTTP, HTTPS, SSH, FTP, Telnet and SMTP are the protocols which are most commonly available in the Finnish landscape. (See chapter 4.1 TOP-40 port list)
For these protocols there are also one or two specific server software that dominate the landscape, making any remotely exploitable vulnerability in these a lucrative target for the attackers, if they aim to get as many systems as possible under their control.
2.5 Recommendations
It is recommended for an organization to verify what assets it has directly connected to the Internet. If it turns out there are devices that should not be directly accessible, place them behind a properly configured firewall in the cor-rect network segment. This allows control on what internal or external networks can connect to them.
If the configuration or software/firmware patch level of the asset contains clear deficiencies which an attacker could have exploited, performing an assessment or re-installation and configuration of the asset is advisable assuming such actions are possible.
Using encrypted protocols for remote management, such as SSH with public key authentication or VPN, is strongly recommended. In case Telnet is the only option, this should be placed listening on a separate network interface not visible to the Internet, and which allows access only from a management network segment.
The brute force potential in many of the mentioned management services can be tackled with the SSH public key authentication, if that is a viable option. For web-based interfaces the mechanism has to be built-in. If FTP is sup-posed to be used with real credentials to access files, use an FTP server that uses SSL. Another alternative is to use SFTP or SCP, which are part of SSH software package.
Operators that sell devices to customers and organizations are recommended to analyze the available attack sur-face of their products, harden the configurations and offer pre-configured devices. It is also advisable to provide proper instructions on how to take a device securely into use. This doesn’t however solve the customer direct buy problem. Only sensible way to solve this problem is to require the manufacturers to provide the devices in a secure-by-default configuration.
The most vulnerable service category was the web servers and related additional web-based
components; especially older versions of Apache and PHP. Based on our analysis the typical role for
a server in Finland offering services to the Internet is an Apache HTTP server. In overall, based on the
vulnerability data there was thousands of vulnerable systems present during the scan period.
10Analysis of the Internet Census data October 2013
Organizations should also have clear policies on how devices should be configured, placed on the network and managed, to ensure these pose minimal risk to the rest of the organization network. Proper vulnerability manage-ment processes ensure hosts are kept updated with the latest patches.
For the SCADA devices there is a simple recommendation. If connecting from a remote location is absolutely nec-essary, these should be heavily firewalled or behind VPN (Virtual Private Network) connection. Additionally, allowing only a small set of IP-addresses and trusted users is advisable.
Databases should preferably be run in their own firewalled segment with restricted access to the database port. Alternatively, on systems running both the application and database, the database should be set to listen only on a local port or socket to minimize the available attack surface.
From national security perspective it would be a very interesting exercise to do a more in-depth analysis of the gov-ernmental and critical infrastructure networks and systems, with actual cross-references of the different data sets and vulnerability information available. This could give the government an initial tool to start the work in analyzing the available attack surface and possible threats regarding their Internet presence, and improve security as a part of the Finnish Cyber Security Strategy.
As a suggestion, this could be included in the Finnish Cyber Security Strategy as one point to
enforce, to ensure operators provide citizens and organizations devices with hardened configurations.
Countries should together push a global initiative to require that manufacturers ship the devices
and software in a secure-by-default configuration.
11Analysis of the Internet Census data October 2013
3 Operating System analysis
The operating system data was extracted out of the data sets. We did the required comparisons against the NMap OS database. In total there were over 119 000 fingerprints present in the data. This data was divided in different categories containing the most common vendors / products in the category. The categories were selected for fol-lowing reasons:
All fingerprints – Provides an overview of all the vendors / products.
Common OS – Shows the most common typical operating systems that are run on servers, computers and in some cases, consumer devices.
Linux kernel – This helps determining if there are very old and possibly insecure systems present out there. It also shows the adoption of the new 3.x series kernels.
Windows versions – Breakdown of Windows OSes directly contributes to the vulnerability landscape, describing how many old systems exist that may be vulnerable to attack
Firewall / Switch / Routers – Getting an overview of the most used network equipment helps build a picture on what types of systems are used in typical Finnish Internet infrastructure
Home router devices – Knowledge of commonly used home networking products helps in identifying possible risk against end users
Printer devices – Printers directly accessible from the Internet is not a good corporate policy. From risk perspective these should not be on the Internet.
ICS/SCADA devices – These are systems that definitely should not be directly on the Internet and abuse of these can have big consequences.
12Analysis of the Internet Census data October 2013
3.1 TOP-20 all fingerprints
Below is the combined TOP-20 list of all the encountered fingerprints of different devices and operating systems, followed by a chart showing the spread of typical/common operating systems which most people are familiar with. The common operating systems accounted for over 61 000 hits, which is a bit over half of all the fingerprints pre-sent. This indicates there are a lot of different devices like routers, ADSL/cable modems, printers and other items directly accessible over the Internet. One interesting observation was over 150 Blue Coat systems, which didn’t fit in the chart.
TOP-15 Common OS / Systems
TOP-20 of all fingerprints
13Analysis of the Internet Census data October 2013
3.2 Linux kernel versions
There were over 43 000 hits for different IPs identified as Linux. This is a breakdown of the actual Linux kernel ver-sions. The majority of the systems were still running the 2.6 series, but there is still systems running 2.4 and below. Some may be embedded systems in spite of the attempts to exclude them. Current Linux distributions are moving to 3.x versions. The 2.6 series started in December 2003 and 3.x series in July 2011.
3.3 Windows versions
Microsoft Windows operating systems were running on 14 000 hosts. Following chart shows the different versions seen in the data. The amount of Windows Server 2000 and Windows XP is quite high, 1/5 of the identified hosts. Considering these are not supported anymore, it may pose a serious risk to the systems. (XP has extended support to year 2014).
Linux kernels
Microsoft Windows
14Analysis of the Internet Census data October 2013
3.4 Firewall!/!Switch!/!Router devices
We grouped specific firewall, switch and routing devices into one graph, which resulted in 17 000 hits. Interestingly there are quite many Symantec gateway installations. Cisco and 3Com are the most common technologies related to routing.
3.5 Home router devicesOver 10 000 devices were identified as typical ADSL, cable or 3G routers. Also other LAN/WLAN devices were found. These are usually used in home or SOHO environments. Some devices might still be used only in businesses.
TOP-15 FW / Router / Switch vendors
TOP-15 Home routers
15Analysis of the Internet Census data October 2013
3.6 Printer devices
There was plenty of printing related devices, account for over 3 500 hits. Some printers that did not fit the chart are for example Dell, Kyocera, Kodak and Konica. These should most probably not be directly connected to the Internet.
3.7 Possible SCADA systemsDifferent types of possible SCADA systems, remote access controllers and management interfaces were discov-ered in the data. Some of the controllers and interfaces may be purely for servers. These accounted for over 2 900 hits. Interestingly, these kinds of systems should usually not be directly accessible over the Internet.
On separate note there were also NAS and tape library devices (527 hits).
TOP-10 Printer vendors
Possible ICS / SCADA systems
16Analysis of the Internet Census data October 2013
4 Port analysis
The data contained TCP synscan results and in addition some UDP results. We decided to skip analysis of the UDP because of the possibility of having unreliable results, and focused mainly on the TCP results. There were over 500 000 IP-addresses present in the data.
The following chapters will give an overview on what the most common ports are and what kind of services the majority of the hosts are running. Also analysis was made on how many different ports were open for specific ser-vice types. These specific service types were selected for following reasons:
Databases – Databases are typically the crown jewel attackers are looking for and it can be risky to offer these to the Internet
Unencrypted protocols – These protocols are easily intercepted, especially if using these in a hostile environment. In light of recent events, usage is not advised.
Management interfaces – Interfaces like these should in general be available only from networks that are considered adequately secure, offering many times keys to the kingdom
Finally we compared what ports typically get scanned and how many hosts have the scanned ports open. This gives an overview of the likelihood or time and resources an attacker has to use to find a host with the port open he is looking for.
Different proxies – Services, when wrongly configured, can allow an attacker to hide his tracks or attack deeper into the organization
Denial of service – Breakdown of these may help understand the possible amount of Finnish hosts that could be used in DoS attacks
Possibly sensitive ports – Mistakes in configuring servers may expose services which allow an attacker to gain more information about a target
17Analysis of the Internet Census data October 2013
4.1 TOP-40 port list
This chart shows the TOP-40 ports that are open in the scanned hosts. Majority of the hosts run a service on port 80 and/or 443, which are usually HTTP and HTTPS. Remote access ports SSH and Telnet are also high on the list, in addition to FTP, SMTP and DNS services. These, except for Telnet, are quite typical services that are open to the Internet. It is worth mentioning that the port number used in VoIP systems is in TOP-10 selection.
Top Amount Port
1 404 370 80 (HTTP)
2 94 244 443 (HTTPS)
3 83 494 22 (SSH)
4 67 286 21 (FTP)
5 55 019 23 (Telnet)
6 43 920 25 (SMTP)
7 25 637 53 (DNS)
8 17 725 8 080 (Proxy)
9 10943 49 152 (?)
10 9 819 5 060 (SIP)
11 9 667 143
12 9 191 993
13 8 548 110
14 8 064 49 154
15 7 958 135
16 7 824 1 723
17 7 521 139
18 7 510 3 389
19 7 073 995
20 6 645 3 306
21 6 391 111
22 5 972 5 900
23 5 938 554
24 5 693 445
25 3 893 10 000
26 3 727 587
27 3 642 465
28 3 590 113
29 2 840 179
30 2 685 548
31 2 590 515
32 2 356 8 443
33 2 189 1 720
34 1 977 81
35 1 645 20
36 1 638 8 000
37 1 611 2 001
38 1 546 2 000
39 1 489 1 025
40 1 435 5 666
18Analysis of the Internet Census data October 2013
4.2 Ports open, counted by hosts
This list shows the amount of ports open counted by the amount of hosts. It gives an overview of the attack surface an attacker can have available. The higher the amount of open ports, the higher probability there is of finding a vulnerable service on a specific host.
Typically a server dedicated to one specific task should have only a couple of services open. When a server acts in a multi-purpose role the port count is higher, to a certain level. Five open ports and above starts indicating there is definitely a lack of proper hardening and improper usage of firewall technology.
Hosts that have over 20 open services raise questions how it is possible to have so many ports open, from a security perspective. The answers can’t really be known, it could be erroneous responses to received packets, dynamically opened client ports or some host-based IPS system which makes the port scan results unreliable by showing a lot of ports open.
Open ports Amount of hosts
1 321 184
2 86 042
3 31 498
4 42 968
5 12 745
6 4 614
7 2 518
8 1 809
9 1 194
10 1 068
11 839
12 960
13 403
14 311
15 146
16–20 247
21–25 42
26–32 8
33–48 184
49–68 209
71–100 114
101–150 146
151–201 115
206–245 15
The following charts show what the open ports are for hosts that have up to four ports open. This gives an overview what the majority of the landscape looks like in terms of open ports. As a summary, the majority of scanned hosts act in web server roles. The more ports are open, the more diverse it gets what is open on the hosts.
19Analysis of the Internet Census data October 2013
Majority of the hosts have only one port open, which is HTTP. This means that most of the hosts scanned act as web servers and is the most useful port for an attacker when looking for live targets.
About 64 % of hosts which have two ports open are serving HTTP and/or HTTPS, which again increase the attack surface on the web server side. 10 % of hosts also have SMTP open.
TOP-25 ports for 1 open port
TOP-25 ports for 2 open ports
20Analysis of the Internet Census data October 2013
Hosts having three ports open still has a large share of web server related ports open, but is more diversified in available services. Most common services are HTTP, HTTPS, FTP, SSH and Telnet.
Interestingly, when hosts have four ports open, most of the open the services a host has are HTTP, SSH, FTP and Telnet services. An organization (or home users) may want to provide own web pages, remote access and a file service to the Internet, but having also the Telnet port open is a mystery. These could be badly configured home router systems.
TOP-25 ports for 3 open ports
TOP-25 ports for 4 open ports
21Analysis of the Internet Census data October 2013
4.3 Database ports
This lists the default ports of some databases we decided to look at: MS-SQL, MongoDB, PostgreSQL, DB2, Sybase, Oracle, and MySQL.
Databases should never be directly exposed to users as it provides means to abuse software vulnerabilities, weak password policies and default configuration more easily.
4.4 Unencrypted protocol ports
Unencrypted protocols do not provide any transport layer protection, which in essence allows capturing credentials from network traffic.
Network devices many times have Telnet enabled by default and SSH needs to be enabled separately. This indi-cates lack of hardening. These services should in general be replaced with more secure counterparts, if possible, and most of them should not be open to the Internet.
Amount Port Database
6 645 3 306 MySQL
872 1 433 MS-SQL
102 523, 500xx, 600xx DB2
16 5 432 PostgreSQL
13 152x Oracle
1 2 048 Sybase
1 27 019 MongoDB
Amount Port Service
67 286 21 FTP
55 019 23 Telnet
1 043 514 rshell
46 513 rlogin
25 512 rexec
22Analysis of the Internet Census data October 2013
4.5 Management interface ports
In addition to the above Telnet and r-services there are other common management interface ports that allow remote administration or access to hosts. Many of these do not by default encrypt the data in transit but requires some configuring or an additional component to secure the transport layer, for example by tunneling it over SSH.
There is usually no good reason to provide these ports, except for the SSH with public key authentication, directly over the Internet. Even on internal networks access should be restricted to certain IP-addresses or management networks, if possible.
4.6 Proxy ports
The ports below are commonly associated with proxy ports. Attackers (and users) are constantly looking for open proxies to hide their tracks or bypass some country-level ACLs set by different services. Keep in mind that port 8080 is commonly associated also with Apache Tomcat.
In worst case a wrongly configured proxy could allow remote access to internal assets and result in organization-wide compromise. There is usually no reason to have an internally used proxy directly accessible over the Internet.
Amount Port Service
83 494 22 SSH
7 958 135 MS-RPC
7 521 139 NetBIOS
7 510 3 389 RDP
6 038 580x, 590x VNC
5 693 445 SMB
12 5 631 PCAnywhere
9 4 899 Radmin
Amount Port Service
17 725 8 080 Multiple
12 1 080 Socks
11 3 128 Squid
11 9 415 PPLive
1 33 849 Socks
23Analysis of the Internet Census data October 2013
4.7 Denial of service ports
Typical services used in denial of service attacks against a third party are UDP-services, especially echo, chargen and DNS services. The attack is executed so that the attacker spoofs the source address with the target IP address, thus any responses will be directed at the target. We found that there was a fairly low amount of these TCP ports open, except for the DNS. Many times if these are enabled as TCP services, the services have also the UDP port enabled.
Existence of these ports indicate lack of proper hardening, as these are default services with no “real” use and these should be disabled (the DNS may actually be in use). The problem with DNS is that it can be misconfigured as an open resolver, which can be used in amplification attacks.
4.8 Printing ports
Network-enabled printers allow printing without being connected to one with a cable. Also operating systems can share printers to the rest of the network. It is not recommended to leave these printing services should directly on the Internet because of the obvious possibility of abuse and data leak.
Printers also tend to have administrative interfaces and it is always possible that these have default configuration in place. Like any software, printers can contain exploitable vulnerabilities.
4.9 Other sensitive portsThis is a small selection of sensitive ports that should not be directly on the Internet, which by no means is a com-prehensive list. These would allow further enumeration and possibly further access to resources.
Amount Port Service
25 637 53 DNS
62 7 Echo
50 13 Daytime
41 37 Time
40 19 Chargen
Amount Port Service
2 590 515 LPD
136 631 CUPS
50 9 100 HP JDirect
1 1 782 HP-HCIP
Amount Port Service
6 391 111 Portmapper
1 401 600x X Windowing System
130 389, 636 LDAP
45 1 900, 2 869 uPnP
18 2 049 NFS
24Analysis of the Internet Census data October 2013
4.10 Firewall data comparison
Nixu collects firewall data and analyzes from time to time what ports are typically scanned by attackers and mal-ware. This chart is a comparison on how often a specific port is targeted and how many there is actually open, based on half year’s firewall data.
A zero result can mean that the Internet Census did not include the port in the port scan.
Top Open Port
1 5 693 445 (Netbios)
2 83 494 22 (SSH)
3 55 019 23 (Telnet)
4 872 1 433 (MS-SQL)
5 7 510 3 389 (RDP)
6 7 958 135 (MS-RPC)
7 17 725 8 080 (Proxy)
8 6 645 3 306 (MySQL)
9 404 370 80 (HTTP)
10 5 972 5 900 (VNC)
11 94 244 443
12 43 920 25
13 9 4 899
14 7 521 139
15 8 548 110
16 67 286 21
17 2 356 8 443
18 12 1 080
19 11 3 128
20 0 5 038
21 10 6 666
22 12 5 631
23 1 30 670
24 16 5 901
25 28 8 081
26 0 3 790
27 1 638 8 000
28 16 8 088
29 1 6 675
30 1 8 880
31 9 667 143
32 0 6 674
33 0 65 500
34 208 88
35 1 8 090
36 18 9 090
37 1 977 81
38 0 3 127
39 25 637 53
40 0 44 609
25Analysis of the Internet Census data October 2013
5 Serviceprobe analysis
We decided to take a look at protocols that provide server response information in a relatively easy, human readable form. Almost all of these were present in the TOP-10 open ports list or are scanned relatively often.
This data, if analyzed in-depth, can give an overview of the general vulnerability landscape which was present nearly a year ago. For this paper we mainly focused on the high-level vendors/products to get an understanding of the most used software, except for the MS-SQL and MySQL data which contain only version numbers.
We took the most common web-based ports, and combined these into a one large data set, then attempted to identify the server versions. Ports acquired were 80, 81, 82, 83, 8 000, 8 080, 8 880, 8 888, 443 and 8 443. The data was divided into different categories. For many IPs there were multiple requests present in the data, and no attempt was made to make results unique. This skews the results a bit.
We also extracted data from FTP (21), SSH (22), Telnet (23), SMTP (25), DNS (53), SNMP (161), IMAP (143), MS SQL (1 434) and MySQL (3 306).
26Analysis of the Internet Census data October 2013
5.1 WWW – Generic Web-servers
The chart below shows the TOP-11 web-servers encountered in the data. There were over 275 000 hits in total for web-server. Based on the hits, Apache would clearly be the most used web-server and Microsoft second. In overall there seems to be a varying bunch of web-servers used.
The chart shows the rest of the generic web-servers, which percentage was calculated on the amount of these. This was over 6 500 hits.
TOP-11 web servers (count at least 1 000)
Other generic web servers (count below 1 000)
27Analysis of the Internet Census data October 2013
5.2 WWW – Embedded servers and network router servers
The chart shows the TOP-20 embedded devices and network routers. This category got over 38 000 hits. Here are a few hits listed separately that did not fit in the TOP-list: EksosM, Conexant, Adapec, Netgear, Alcatel-Lucent.
5.3 WWW – Firewall, proxy and management servers
The chart shows the TOP-15 firewall, proxy and management servers, which amounted for over 6 500 hits. There were also other interesting services like Bomgar which did not fit in the TOP-list.
TOP-15 Firewall, proxy and management servers
TOP-20 Embedded devices and routers
28Analysis of the Internet Census data October 2013
5.4 WWW – Printer servers
There was nine different printer web servers identified from the data, amounting for over 1 700 hits. The below chart show, that HP printer web services are the most commonly exposed.
5.5 WWW – Media and surveillance servers
This category contains servers that stream media, like audio and video. It includes TVs, radios, DVB-systems and video surveillance systems and these amounted for 5 000 hits. Some interesting systems that did not fit in the TOP-list: Tandberg, Indigo Vision.
TOP-9 Printer web servers
TOP-25 Media / Surveillance servers
29Analysis of the Internet Census data October 2013
5.6 WWW – Possible SCADA-related servers
There were twenty different servers that may be SCADA-related. From the list we decided to remove the WinCE, which amounted for over 2 600 servers, but it is used mainly in small devices and can indicate these should not be accessible over the Internet. In total there were over 4 100 hits.
5.7 FTP ServersThis category contains the TOP-10 identified FTP servers that were found in the data. Amount of hits was over 49 000, which shows that FTP is still used a lot. TP-LINK and ProFTPD are the two most common servers, vsFTPd coming close behind.
TOP-10 FTP servers (60 % were unknown)
TOP-16 Possible SCADA servers (excluding 2 676 WinCE hosts)
30Analysis of the Internet Census data October 2013
5.8 SSH Servers
TOP-10 for the SSH servers was not a surprise for the OpenSSH and Dropbear servers. In total there were over 23 000 hits. Also the official SSH Secure Shell and Tectia SSH Servers were found, but did not fit into the TOP-list.
5.9 Telnet servers
The Telnet data contained over 17 000 hits. The surprise in the TOP-10 list is the amount of SIP/VoIP related devices and home routers. The UAV prompt may be from many devices, for example Cisco.
TOP-10 SSH servers
TOP-10 Telnet servers (32 % were unknown)
31Analysis of the Internet Census data October 2013
5.10 SMTP Servers
The TOP-10 list for SMTP contained over 79 000 hits with majority unknown. Postfix, Microsoft, Sendmail and Exim were expectedly on top of the list. There was also a fair amount of security SMTP gateways.
5.11 DNS Servers
There was not many different DNS servers present, amounting for over 11 000 hits. BIND is the most common DNS server. Over 20 % refused to reveal versions and dnsmasq came as third DNS server.
DNS servers
TOP-10 SMTP servers (84 % were unknown)
32Analysis of the Internet Census data October 2013
5.12 IMAP Servers
The amount of IMAP servers was over 8 500 hits. The Unknown contains the IMAP servers which did not contain much identifying information. Dovecot, UW Imap and Courier are the most common ones identified.
5.13 SNMP Servers
This category contains identified SNMP servers which responded to the “public” SNMP community string. There were over 17 000 hits. The Random category contains addresses, names and obscure serial numbers. Most com-mon appear to be home/SOHO router devices. In the data also SCADA related devices were identified.
TOP-10 IMAP servers
TOP-10 SNMP servers
33Analysis of the Internet Census data October 2013
5.14 MS SQL Servers
The version strings in the data was transformed to actual MS SQL server versions and service packs. There were about 1 000 hits in this category. The most common was MS SQL Server 2005 SP4, which is EOL. However, some 2005 versions are under extended support, according to Microsoft pages.
5.15 MySQL ServersThere were over 1 200 hits for different MySQL servers which returned the version string 590 hosts were removed from the results that informed that the host is unauthorized to connect to the server. Some relatively old versions were encountered.
MySQL servers
TOP-10 MS SQL servers
34Analysis of the Internet Census data October 2013
6 Vulnerability Analysis
If we look back one year and beyond regarding the generic vulnerability landscape for some service versions pre-sent in TOP-lists, the vulnerabilities were mostly in the denial of service (DoS) category. This was not an extensive mapping exercise, where vulnerabilities was analyzed thoroughly, but gave a general idea of the state of patching.
The Nixu Watson vulnerability management service processed the extracted service banners for some of the selected TCP ports we wanted to look at (FTP, SSH, SMTP, DNS, DB, WWW). There were 326 High-, 577 Medium- and 82 Low-level unique vulnerabilities having a Common Vulnerabilities and Exposures (CVE) identifier.
With many distributions backporting patches and vulnerabilities being also dependent on hardware architecture, the findings may be false. For operating systems and certain services there was no easy way to determine current patch levels, except for possible End-of-Life state of the product.
The above chart shows the distribution of CVEs between different protocols. In parentheses is the number of different software versions in the category. The WWW-add category includes technologies like OpenSSL, PHP, mod_jk and other modules which can be used in a web server.
High (326)
Medium (577)
Low (82)
Total amount of CVEs
33.10 %
58.58 %
8.32 %
High
Medium
Low
CVE distribution between protocols
FTP (51) SSH (56) DNS (3) SMTP (32) Database (84) WWW (209) WWW-add (258)
350
300
250
200
150
100
50
03 8
116 17
5 5 7 0 2
55
101
23
94
135
20
140
296
3113 13
35Analysis of the Internet Census data October 2013
The most vulnerable components from pure numeric viewpoint were old Apache and PHP versions. In total there was 693 different software versions present in the banner data. When examining the latest high-level vulnerabilities from each category, the following CVEs were found to be the most serious. No denial of service was included:
CVE-2011-4130: ProFTPD use after free remote code executionCVE-2012-0920: Dropbear SSH server use after free remote code executionCVE-2011-1407: Exim DKIM remote code execution
CVE-2009-2500: GDI+ could allow remote code execution in MS-SQLCVE-2012-0882: yaSSL buffer overflow allow remote code execution in MySQLCVE-2012-2965..CVE-2012-2967: Arbitrary code execution in ResinCVE-2012-1823 and CVE-2012-2311: PHP allows executing arbitrary code
The following number of versions per category did not have a high-level vulnerability present. A version in this case means for example Apache 1.3.12 or PHP 5.3.7 and so on:
FTP: 20 / 51SSH: 19 / 56DNS: 1 / 3SMTP: 6 / 32Database: 21 / 84WWW: 83 / 209WWW-additional: 89 / 258
Last year there was a high-level configuration mistake discovered in some F5 BigIP product installations. These contained a known SSH private key for the root user, which essentially allowed remote administrative-level access to the product. The exploitability of this vulnerability rely on the SSH service being open to the Internet. No cross-checking was made for the OS, service and open port information.
7 References
Internet Census 2012 project:http://internetcensus2012.bitbucket.org/
Downloadable data:http://internetcensus2012.bitbucket.org/download.html
Wikipedia article on Carna botnet:http://en.wikipedia.org/wiki/Carna_Botnet
CVE information:http://cve.mitre.org/about/index.html
Nixu Watson:http://www.nixu.com/en/solution/nixu-watson
Copyright © 2013 Nixu Oy/Ltd. All Rights Reserved.
Nixu Ltd is the largest consulting company for infor-mation security in the Nordic countries. Our cor-porate clients trust Nixu for developing, implement-ing and assessing their information security related processes and systems as an independent advisor. We ensure our clients’ information responsibility by taking care of business continuity, ease-of-access to digital services and customer data protection.
www.nixu.! Twitter: @nixutigerteam
Nixu LtdP.O. Box 39 (Keilaranta 15), FI-02151 Espoo, Finland
Telephone: +358 9 478 1011 Fax: +358 9 478 1030 VAT number: 0721811-7 Internet: www.nixu.!