analysis of the internet census data nixu october 2013

Analysis of the Internet Census dataThe Finnish Cyber Landscape

October 2013

2Analysis of the Internet Census data October 2013

Contents

1 Foreword ..........................................................................................................4

1.1 Disclaimer ..............................................................................................4

2 Analysis Summary ............................................................................................5

2.1 Unencrypted protocols ...........................................................................6 2.2 Web interfaces .......................................................................................7 2.3 SCADA ..................................................................................................8 2.4 The vulnerability landscape .....................................................................8 2.5 Recommendations .................................................................................9

3 Operating System analysis ..............................................................................11

3.1 TOP-20 all fingerprints ..........................................................................12 3.2 Linux kernel versions ............................................................................13 3.3 Windows versions ................................................................................13 3.4 Firewall / Switch / Router devices ............................................................14 3.5 Home router devices ............................................................................14 3.6 Printer devices .....................................................................................15 3.7 Possible SCADA systems .....................................................................15

4 Port analysis ...................................................................................................16

4.1 TOP-40 port list ....................................................................................17 4.2 Ports open, counted by hosts ..............................................................18 4.3 Database ports ....................................................................................21 4.4 Unencrypted protocol ports ..................................................................21 4.5 Management interface ports .................................................................22 4.6 Proxy ports...........................................................................................22 4.7 Denial of service ports ..........................................................................23 4.8 Printing ports ........................................................................................23 4.9 Other sensitive ports ............................................................................23 4.10 Firewall data comparison ......................................................................24


5 Serviceprobe analysis .....................................................................................25

5.1 Www – Generic Web-servers ...............................................................26 5.2 Www – Embedded servers and network router servers ........................27 5.3 Www – Firewall, proxy and management servers ..................................27 5.4 Www – Printer servers ..........................................................................28 5.5 Www – Media and surveillance servers .................................................28 5.6 Www – Possible SCADA-related servers ..............................................29 5.7 FTP Servers .........................................................................................29 5.8 SSH Servers.........................................................................................30 5.9 Telnet servers .......................................................................................30 5.10 SMTP Servers ......................................................................................31 5.11 DNS Servers ........................................................................................31 5.12 IMAP Servers .......................................................................................32 5.13 SNMP Servers......................................................................................32 5.14 MS SQL Servers ..................................................................................33 5.15 MySQL Servers ....................................................................................33

6 Vulnerability Analysis .......................................................................................34

7 References .....................................................................................................35


1 Foreword

A huge amount of data titled Internet Census 2012 was released earlier this year. It was acquired with a botnet named Carna between June and October 2012, which used insecure embedded devices to scan the Internet:

Overall Internet Census 2012 project information:

The data contains a lot of different scan information, like open ports, trace routes, reverse DNS queries and much more. This information provides an overview of what the Internet looked like during the time period. This data was made publicly available through the BitTorrent network. We at Nixu decided to take a look at the data from a Finnish viewpoint and this report covers the results of this analysis. Main data items we considered interesting was operat-ing system statistics, TCP port statistics and the results of some service probes which contain the actual server responses. In addition it provided a view into systems and services which should not be directly available from the Internet.

There were 13,782,236 Finnish IP addresses in our list. We isolated data associated to these IP addresses from the complete data set. This subset was further processed and analyzed to generate statistics and draw conclusions. No correlation was done between the analyzed data sets. Analysis was done by Nixu’s Security Intelligence and Research team (Nixu SIR).

1.!1 Disclaimer

Even though the data has been acquired unethically by hacking into devices and utilizing these for scanning the Internet, doing analysis on data released to public domain should only be viewed as a research exercise.

We think that the data is likely authentic, but there are no guarantees it is not manipulated or crafted. Also note that properly firewalled servers are not included in the data. We do not have any supporting numbers available on the total amount of Internet-connected devices that could have been fully firewalled or shut down during the port scan activity, which could have added to the analysis as another way of indicating the network posture.

When viewing this report, bear in mind that it is based only on the publicly available data, accurate or not. Even thought the scan has been done some time ago, we do not believe the overall picture has changed that much.

420 MILLION IP ADDRESSES THAT RESPONDED TO ICMP PING AT LEAST TWO TIMES BETWEEN JUNE 2012 AND OCTOBER 2012.


2 Analysis Summary

Finland is said to have one of the cleanest network environments, at least in terms of malware infections. However, there are potentially serious weaknesses in the Finnish cyber landscape.

A basic network reconnaissance provided by the Internet Census scan revealed that most of the over 500.000 hosts scanned have a relatively healthy number of ports open (94.6%).

This means the attack surface is smaller with these hosts, but still there are tens of thousands of Internet-connected hosts with practically “open doors” for attackers. All these contribute to the available attack surface a potential attacker can try to utilize. Whether it is a common ADSL router used by thousands of end-users or one corporate printer sitting directly on the Internet, security could potentially be compromised.

The Internet Census data can be used as a valid source for reconnaissance intelligence into services running at governmental entities, industries and organizations, without the need to actively probe their networks.

An attacker could for example map the services used across the globe to enable global exploitation of widely used and vulnerable services. He could also pinpoint one single Internet-connected device to use as an entry point into the selected target organization.

We believe that the scan revealed just the tip of the iceberg of the weaknesses in Finnish networks in overall when taking into consideration also the application-level vulnerabilities. Nixu has done hundreds of security assessments of systems owned by different organizations and governmental entities and our findings support this conclusion. Four in five systems we have assessed have multiple vulnerabilities that for example allow bypassing access con-trols which leads to unauthorized access of confidential data.

This in essence means that there are thousands of Internet-connected devices and information

systems that are prone to eavesdropping, information gathering and other abuse even with

a limited hacking skill set.

Healthy amount of open ports (4 and less)

OK (481 692)

Not OK (27 697)

5.44 %

94.56 %


The perimeter security is usually on a good level but when inside, things tend to get worse. On technical level the focus still tends to be perimeter-centric revolving around firewalls and intrusion detection systems and such. Vulner-ability management, system hardening and application-level security should be bolstered. Perimeter defense alone isn’t sufficient to protect against cyber threats.

Organizations should take the time to verify their Internet exposure. Regular scanning of own networks and taking action based on the results is a recommended practice.

It is worth mentioning that the data has been collected during the period of five months and analyzing this amount of data takes up resources, even with limited scope. The following chapters take a deeper look into some of the identified problem areas.

2.1 Unencrypted protocols

There is a relatively high number of devices running unencrypted protocols like FTP (File Transfer Protocol) and Telnet. If these insecure methods are actively used to transfer files and manage systems, they make it possible for an attacker to capture authentication credentials from the wire.

The likelihood of the credentials being captured is significant when establishing connections from another country, in light of the latest NSA revelations. For example, United Kingdom’s GCHQ captures all traffic passing their Internet exchange points and France does their own monitoring. One of the largest European Internet exchange points is located in Germany. The FRA in Sweden is in essence capable of monitoring all of the outbound Finnish Internet traffic and it has been revealed that they provide access to NSA.

If, for example, governmental systems like Internet-facing routers have been managed abroad using unencrypted protocols, it could have enabled a nation-state actor to utilize the information for malicious purposes like espionage. Access to a router can help gaining access deeper into the governmental network or altering the route outbound traffic takes.

The same applies to other ports used to manage servers, like the Windows RPC, NetBIOS and SMB ports, the Terminal Services and VNC remote access tools. The Terminal Services and some VNC versions can use SSL to encrypt the traffic, but having these open to the Internet makes them prone to brute force attacks.

FTP is a good solution to use if it is used only to serve public files anonymously.

Selection of port types Secure mgmt (83 494)

Insecure mgmt (90 874)

Insecure FTP (67 286)

Proxy ports (17 760)

Databases (7 650)

Printers (2 777)

30.94 %

33.68 %24.94 %

6.58 %

2.84 %

1.03 %


2.2 Web interfaces

Other important targets are the web-based management interfaces. We do not refer to typical web servers, but the web interfaces provided by different embedded devices, printers, routers, surveillance devices etc.

After a successful installation of a product, no additional configuration hardening is usually done to the device, leaving for example the web-based management interface listening on all possible network interfaces. When the device is directly connected to the Internet, with specific device types probably by mistake, it enables anyone on the Internet to connect to the offered resources.

Such unconfigured devices can have vendor’s default administrative credentials, unwanted services like Telnet and SNMP (Simple Network Management Protocol) and many other issues in place. In worst case there is no pass-word set at all. The web-based management interface can also have exploitable vulnerabilities just like typical web applications do.

The interfaces can enable an attacker to gain foothold on the device and information stored on it. For example cer-tain printer models often have a hard disk which stores the printed documents for a period of time, which can give the attacker access to sensitive documents. In addition devices offering SNMP by default with known community strings can give an attacker a wealth of information regarding internal network configuration and listening processes to use in further attacks.

If an organization has networked security cameras or video conferencing systems open for all to use and spy on, it offers many new intelligence gathering methods and attack vectors to a malicious party.

Operators selling broadband and Internet services to organizations and consumers many times have their own pre-ferred devices and brands they offer. It can be that many of these devices offer the interfaces by default, which the seller and buyer are not aware of. Another possible reason can be that buyers get the devices directly from retailers and lack the needed know-how on setting up the devices in a secure manner.

Eventually having foothold on an unconfigured device can lead to a situation where the attacker is

able to modify and use the device to penetrate deeper into an organization network. This can lead

to sensitive information and IPR leaking into the wrong hands.

Web servers Generic (275 000)

Embedded/Router (38 000)

Management/FW/Proxy (6 500)

Media/Surveillance (5 000)

SCADA (4 100)

Printer (1 700)

83.26 %

11.51 %

1.97 %1.51 %

1.24 %0.51 %


The discussed unencrypted protocols, SNMP and web interfaces contribute the most to the available attack sur-face. Most of the already discussed TCP ports, based on our half-year firewall data analysis, are in the TOP-10 what attackers are looking for. The attackers probably try to find services offering a login possibility, which can then be attacked with dictionary and brute force password guessing attacks.

2.3 SCADA

There appears to be ICS/SCADA related devices directly connected to the Internet. Even though the num-ber is not very high, an attacker can utilize for example the Internet Census or Shodan search engine (http://www.shodanhq.com/) data for initial reconnaissance to find desired targets.

The devices might be serial device servers, Ethernet-to-Serial bridges, Serial-to-IP converters, communication processors, building management systems, embedded controllers, environmental controllers, data loggers and automation systems which can control different types of processes, energy and drive engineering.

The products can have exploitable vulnerabilities, hard-coded passwords and default configurations that are exploit-able by an attacker. These can help gain access to the environment or cause substantial damage to whatever the devices are controlling.

Obviously such systems should not be directly placed on the Internet.

2.4 The vulnerability landscape

Vulnerability is a flaw in computer software or configuration which, if exposed, allows an attacker to exploit it for unintended consequences. Such unintended consequences can for example be a crash of the software, execution of attacker-provided code with the privileges of the affected process or unauthorized access to data.

We provided the Nixu Watson vulnerability management service (http://www.nixu.com/en/solution/nixu-watson) a list of extracted service banners for many of the vendors in the TOP-lists presented in Chapter 5. The services we focused on were FTP (file transfer protocol), SSH (Secure Shell), SMTP (Simple Mail Transfer Protocol, DNS (Domain Name System), DB (databases) and WWW (Web servers and additional web server components like PHP).

The above chart shows the amount of unique vulnerabilities Nixu Watson discovered based on the banner versions. There were potentially 326 High-level, 577 Medium-level and 82 Low-level vulnerabilities present in the list of 693 different software versions. (See Chapter 6 for more details)

High (326)

Medium (577)

Low (82)

Total amount of CVEs

33.10 %

58.58 %

8.32 %


Another troubling discovery is that there are databases, the crown jewels for many, directly open to the Internet. A well configured and hardened database that is kept updated may be relatively secure, but in our opinion it is still not an advisable practice.

HTTP, HTTPS, SSH, FTP, Telnet and SMTP are the protocols which are most commonly available in the Finnish landscape. (See chapter 4.1 TOP-40 port list)

For these protocols there are also one or two specific server software that dominate the landscape, making any remotely exploitable vulnerability in these a lucrative target for the attackers, if they aim to get as many systems as possible under their control.

2.5 Recommendations

It is recommended for an organization to verify what assets it has directly connected to the Internet. If it turns out there are devices that should not be directly accessible, place them behind a properly configured firewall in the cor-rect network segment. This allows control on what internal or external networks can connect to them.

If the configuration or software/firmware patch level of the asset contains clear deficiencies which an attacker could have exploited, performing an assessment or re-installation and configuration of the asset is advisable assuming such actions are possible.

Using encrypted protocols for remote management, such as SSH with public key authentication or VPN, is strongly recommended. In case Telnet is the only option, this should be placed listening on a separate network interface not visible to the Internet, and which allows access only from a management network segment.

The brute force potential in many of the mentioned management services can be tackled with the SSH public key authentication, if that is a viable option. For web-based interfaces the mechanism has to be built-in. If FTP is sup-posed to be used with real credentials to access files, use an FTP server that uses SSL. Another alternative is to use SFTP or SCP, which are part of SSH software package.

Operators that sell devices to customers and organizations are recommended to analyze the available attack sur-face of their products, harden the configurations and offer pre-configured devices. It is also advisable to provide proper instructions on how to take a device securely into use. This doesn’t however solve the customer direct buy problem. Only sensible way to solve this problem is to require the manufacturers to provide the devices in a secure-by-default configuration.

The most vulnerable service category was the web servers and related additional web-based

components; especially older versions of Apache and PHP. Based on our analysis the typical role for

a server in Finland offering services to the Internet is an Apache HTTP server. In overall, based on the

vulnerability data there was thousands of vulnerable systems present during the scan period.


Organizations should also have clear policies on how devices should be configured, placed on the network and managed, to ensure these pose minimal risk to the rest of the organization network. Proper vulnerability manage-ment processes ensure hosts are kept updated with the latest patches.

For the SCADA devices there is a simple recommendation. If connecting from a remote location is absolutely nec-essary, these should be heavily firewalled or behind VPN (Virtual Private Network) connection. Additionally, allowing only a small set of IP-addresses and trusted users is advisable.

Databases should preferably be run in their own firewalled segment with restricted access to the database port. Alternatively, on systems running both the application and database, the database should be set to listen only on a local port or socket to minimize the available attack surface.

From national security perspective it would be a very interesting exercise to do a more in-depth analysis of the gov-ernmental and critical infrastructure networks and systems, with actual cross-references of the different data sets and vulnerability information available. This could give the government an initial tool to start the work in analyzing the available attack surface and possible threats regarding their Internet presence, and improve security as a part of the Finnish Cyber Security Strategy.

As a suggestion, this could be included in the Finnish Cyber Security Strategy as one point to

enforce, to ensure operators provide citizens and organizations devices with hardened configurations.

Countries should together push a global initiative to require that manufacturers ship the devices

and software in a secure-by-default configuration.


3 Operating System analysis

The operating system data was extracted out of the data sets. We did the required comparisons against the NMap OS database. In total there were over 119 000 fingerprints present in the data. This data was divided in different categories containing the most common vendors / products in the category. The categories were selected for fol-lowing reasons:

All fingerprints – Provides an overview of all the vendors / products.

Common OS – Shows the most common typical operating systems that are run on servers, computers and in some cases, consumer devices.

Linux kernel – This helps determining if there are very old and possibly insecure systems present out there. It also shows the adoption of the new 3.x series kernels.

Windows versions – Breakdown of Windows OSes directly contributes to the vulnerability landscape, describing how many old systems exist that may be vulnerable to attack

Firewall / Switch / Routers – Getting an overview of the most used network equipment helps build a picture on what types of systems are used in typical Finnish Internet infrastructure

Home router devices – Knowledge of commonly used home networking products helps in identifying possible risk against end users

Printer devices – Printers directly accessible from the Internet is not a good corporate policy. From risk perspective these should not be on the Internet.

ICS/SCADA devices – These are systems that definitely should not be directly on the Internet and abuse of these can have big consequences.


3.1 TOP-20 all fingerprints

Below is the combined TOP-20 list of all the encountered fingerprints of different devices and operating systems, followed by a chart showing the spread of typical/common operating systems which most people are familiar with. The common operating systems accounted for over 61 000 hits, which is a bit over half of all the fingerprints pre-sent. This indicates there are a lot of different devices like routers, ADSL/cable modems, printers and other items directly accessible over the Internet. One interesting observation was over 150 Blue Coat systems, which didn’t fit in the chart.

TOP-15 Common OS / Systems

TOP-20 of all fingerprints


3.2 Linux kernel versions

There were over 43 000 hits for different IPs identified as Linux. This is a breakdown of the actual Linux kernel ver-sions. The majority of the systems were still running the 2.6 series, but there is still systems running 2.4 and below. Some may be embedded systems in spite of the attempts to exclude them. Current Linux distributions are moving to 3.x versions. The 2.6 series started in December 2003 and 3.x series in July 2011.

3.3 Windows versions

Microsoft Windows operating systems were running on 14 000 hosts. Following chart shows the different versions seen in the data. The amount of Windows Server 2000 and Windows XP is quite high, 1/5 of the identified hosts. Considering these are not supported anymore, it may pose a serious risk to the systems. (XP has extended support to year 2014).

Linux kernels

Microsoft Windows


3.4 Firewall!/!Switch!/!Router devices

We grouped specific firewall, switch and routing devices into one graph, which resulted in 17 000 hits. Interestingly there are quite many Symantec gateway installations. Cisco and 3Com are the most common technologies related to routing.

3.5 Home router devicesOver 10 000 devices were identified as typical ADSL, cable or 3G routers. Also other LAN/WLAN devices were found. These are usually used in home or SOHO environments. Some devices might still be used only in businesses.

TOP-15 FW / Router / Switch vendors

TOP-15 Home routers


3.6 Printer devices

There was plenty of printing related devices, account for over 3 500 hits. Some printers that did not fit the chart are for example Dell, Kyocera, Kodak and Konica. These should most probably not be directly connected to the Internet.

3.7 Possible SCADA systemsDifferent types of possible SCADA systems, remote access controllers and management interfaces were discov-ered in the data. Some of the controllers and interfaces may be purely for servers. These accounted for over 2 900 hits. Interestingly, these kinds of systems should usually not be directly accessible over the Internet.

On separate note there were also NAS and tape library devices (527 hits).

TOP-10 Printer vendors

Possible ICS / SCADA systems


4 Port analysis

The data contained TCP synscan results and in addition some UDP results. We decided to skip analysis of the UDP because of the possibility of having unreliable results, and focused mainly on the TCP results. There were over 500 000 IP-addresses present in the data.

The following chapters will give an overview on what the most common ports are and what kind of services the majority of the hosts are running. Also analysis was made on how many different ports were open for specific ser-vice types. These specific service types were selected for following reasons:

Databases – Databases are typically the crown jewel attackers are looking for and it can be risky to offer these to the Internet

Unencrypted protocols – These protocols are easily intercepted, especially if using these in a hostile environment. In light of recent events, usage is not advised.

Management interfaces – Interfaces like these should in general be available only from networks that are considered adequately secure, offering many times keys to the kingdom

Finally we compared what ports typically get scanned and how many hosts have the scanned ports open. This gives an overview of the likelihood or time and resources an attacker has to use to find a host with the port open he is looking for.

Different proxies – Services, when wrongly configured, can allow an attacker to hide his tracks or attack deeper into the organization

Denial of service – Breakdown of these may help understand the possible amount of Finnish hosts that could be used in DoS attacks

Possibly sensitive ports – Mistakes in configuring servers may expose services which allow an attacker to gain more information about a target


4.1 TOP-40 port list

This chart shows the TOP-40 ports that are open in the scanned hosts. Majority of the hosts run a service on port 80 and/or 443, which are usually HTTP and HTTPS. Remote access ports SSH and Telnet are also high on the list, in addition to FTP, SMTP and DNS services. These, except for Telnet, are quite typical services that are open to the Internet. It is worth mentioning that the port number used in VoIP systems is in TOP-10 selection.

Top Amount Port

1 404 370 80 (HTTP)

2 94 244 443 (HTTPS)

3 83 494 22 (SSH)

4 67 286 21 (FTP)

5 55 019 23 (Telnet)

6 43 920 25 (SMTP)

7 25 637 53 (DNS)

8 17 725 8 080 (Proxy)

9 10943 49 152 (?)

10 9 819 5 060 (SIP)

11 9 667 143

12 9 191 993

13 8 548 110

14 8 064 49 154

15 7 958 135

16 7 824 1 723

17 7 521 139

18 7 510 3 389

19 7 073 995

20 6 645 3 306

21 6 391 111

22 5 972 5 900

23 5 938 554

24 5 693 445

25 3 893 10 000

26 3 727 587

27 3 642 465

28 3 590 113

29 2 840 179

30 2 685 548

31 2 590 515

32 2 356 8 443

33 2 189 1 720

34 1 977 81

35 1 645 20

36 1 638 8 000

37 1 611 2 001

38 1 546 2 000

39 1 489 1 025

40 1 435 5 666


4.2 Ports open, counted by hosts

This list shows the amount of ports open counted by the amount of hosts. It gives an overview of the attack surface an attacker can have available. The higher the amount of open ports, the higher probability there is of finding a vulnerable service on a specific host.

Typically a server dedicated to one specific task should have only a couple of services open. When a server acts in a multi-purpose role the port count is higher, to a certain level. Five open ports and above starts indicating there is definitely a lack of proper hardening and improper usage of firewall technology.

Hosts that have over 20 open services raise questions how it is possible to have so many ports open, from a security perspective. The answers can’t really be known, it could be erroneous responses to received packets, dynamically opened client ports or some host-based IPS system which makes the port scan results unreliable by showing a lot of ports open.

Open ports Amount of hosts

1 321 184

2 86 042

3 31 498

4 42 968

5 12 745

6 4 614

7 2 518

8 1 809

9 1 194

10 1 068

11 839

12 960

13 403

14 311

15 146

16–20 247

21–25 42

26–32 8

33–48 184

49–68 209

71–100 114

101–150 146

151–201 115

206–245 15

The following charts show what the open ports are for hosts that have up to four ports open. This gives an overview what the majority of the landscape looks like in terms of open ports. As a summary, the majority of scanned hosts act in web server roles. The more ports are open, the more diverse it gets what is open on the hosts.


Majority of the hosts have only one port open, which is HTTP. This means that most of the hosts scanned act as web servers and is the most useful port for an attacker when looking for live targets.

About 64 % of hosts which have two ports open are serving HTTP and/or HTTPS, which again increase the attack surface on the web server side. 10 % of hosts also have SMTP open.

TOP-25 ports for 1 open port

TOP-25 ports for 2 open ports


Hosts having three ports open still has a large share of web server related ports open, but is more diversified in available services. Most common services are HTTP, HTTPS, FTP, SSH and Telnet.

Interestingly, when hosts have four ports open, most of the open the services a host has are HTTP, SSH, FTP and Telnet services. An organization (or home users) may want to provide own web pages, remote access and a file service to the Internet, but having also the Telnet port open is a mystery. These could be badly configured home router systems.




4.3 Database ports

This lists the default ports of some databases we decided to look at: MS-SQL, MongoDB, PostgreSQL, DB2, Sybase, Oracle, and MySQL.

Databases should never be directly exposed to users as it provides means to abuse software vulnerabilities, weak password policies and default configuration more easily.

4.4 Unencrypted protocol ports

Unencrypted protocols do not provide any transport layer protection, which in essence allows capturing credentials from network traffic.

Network devices many times have Telnet enabled by default and SSH needs to be enabled separately. This indi-cates lack of hardening. These services should in general be replaced with more secure counterparts, if possible, and most of them should not be open to the Internet.

Amount Port Database

6 645 3 306 MySQL

872 1 433 MS-SQL

102 523, 500xx, 600xx DB2

16 5 432 PostgreSQL

13 152x Oracle

1 2 048 Sybase

1 27 019 MongoDB

Amount Port Service

67 286 21 FTP

55 019 23 Telnet

1 043 514 rshell

46 513 rlogin

25 512 rexec


4.5 Management interface ports

In addition to the above Telnet and r-services there are other common management interface ports that allow remote administration or access to hosts. Many of these do not by default encrypt the data in transit but requires some configuring or an additional component to secure the transport layer, for example by tunneling it over SSH.

There is usually no good reason to provide these ports, except for the SSH with public key authentication, directly over the Internet. Even on internal networks access should be restricted to certain IP-addresses or management networks, if possible.

4.6 Proxy ports

The ports below are commonly associated with proxy ports. Attackers (and users) are constantly looking for open proxies to hide their tracks or bypass some country-level ACLs set by different services. Keep in mind that port 8080 is commonly associated also with Apache Tomcat.

In worst case a wrongly configured proxy could allow remote access to internal assets and result in organization-wide compromise. There is usually no reason to have an internally used proxy directly accessible over the Internet.

Amount Port Service

83 494 22 SSH

7 958 135 MS-RPC

7 521 139 NetBIOS

7 510 3 389 RDP

6 038 580x, 590x VNC

5 693 445 SMB

12 5 631 PCAnywhere

9 4 899 Radmin

Amount Port Service

17 725 8 080 Multiple

12 1 080 Socks

11 3 128 Squid

11 9 415 PPLive

1 33 849 Socks


4.7 Denial of service ports

Typical services used in denial of service attacks against a third party are UDP-services, especially echo, chargen and DNS services. The attack is executed so that the attacker spoofs the source address with the target IP address, thus any responses will be directed at the target. We found that there was a fairly low amount of these TCP ports open, except for the DNS. Many times if these are enabled as TCP services, the services have also the UDP port enabled.

Existence of these ports indicate lack of proper hardening, as these are default services with no “real” use and these should be disabled (the DNS may actually be in use). The problem with DNS is that it can be misconfigured as an open resolver, which can be used in amplification attacks.

4.8 Printing ports

Network-enabled printers allow printing without being connected to one with a cable. Also operating systems can share printers to the rest of the network. It is not recommended to leave these printing services should directly on the Internet because of the obvious possibility of abuse and data leak.

Printers also tend to have administrative interfaces and it is always possible that these have default configuration in place. Like any software, printers can contain exploitable vulnerabilities.

4.9 Other sensitive portsThis is a small selection of sensitive ports that should not be directly on the Internet, which by no means is a com-prehensive list. These would allow further enumeration and possibly further access to resources.

Amount Port Service

25 637 53 DNS

62 7 Echo

50 13 Daytime

41 37 Time

40 19 Chargen

Amount Port Service

2 590 515 LPD

136 631 CUPS

50 9 100 HP JDirect

1 1 782 HP-HCIP

Amount Port Service

6 391 111 Portmapper

1 401 600x X Windowing System

130 389, 636 LDAP

45 1 900, 2 869 uPnP

18 2 049 NFS


4.10 Firewall data comparison

Nixu collects firewall data and analyzes from time to time what ports are typically scanned by attackers and mal-ware. This chart is a comparison on how often a specific port is targeted and how many there is actually open, based on half year’s firewall data.

A zero result can mean that the Internet Census did not include the port in the port scan.

Top Open Port

1 5 693 445 (Netbios)

2 83 494 22 (SSH)

3 55 019 23 (Telnet)

4 872 1 433 (MS-SQL)

5 7 510 3 389 (RDP)

6 7 958 135 (MS-RPC)

7 17 725 8 080 (Proxy)

8 6 645 3 306 (MySQL)

9 404 370 80 (HTTP)

10 5 972 5 900 (VNC)

11 94 244 443

12 43 920 25

13 9 4 899

14 7 521 139

15 8 548 110

16 67 286 21

17 2 356 8 443

18 12 1 080

19 11 3 128

20 0 5 038

21 10 6 666

22 12 5 631

23 1 30 670

24 16 5 901

25 28 8 081

26 0 3 790

27 1 638 8 000

28 16 8 088

29 1 6 675

30 1 8 880

31 9 667 143

32 0 6 674

33 0 65 500

34 208 88

35 1 8 090

36 18 9 090

37 1 977 81

38 0 3 127

39 25 637 53

40 0 44 609


5 Serviceprobe analysis

We decided to take a look at protocols that provide server response information in a relatively easy, human readable form. Almost all of these were present in the TOP-10 open ports list or are scanned relatively often.

This data, if analyzed in-depth, can give an overview of the general vulnerability landscape which was present nearly a year ago. For this paper we mainly focused on the high-level vendors/products to get an understanding of the most used software, except for the MS-SQL and MySQL data which contain only version numbers.

We took the most common web-based ports, and combined these into a one large data set, then attempted to identify the server versions. Ports acquired were 80, 81, 82, 83, 8 000, 8 080, 8 880, 8 888, 443 and 8 443. The data was divided into different categories. For many IPs there were multiple requests present in the data, and no attempt was made to make results unique. This skews the results a bit.

We also extracted data from FTP (21), SSH (22), Telnet (23), SMTP (25), DNS (53), SNMP (161), IMAP (143), MS SQL (1 434) and MySQL (3 306).


5.1 WWW – Generic Web-servers

The chart below shows the TOP-11 web-servers encountered in the data. There were over 275 000 hits in total for web-server. Based on the hits, Apache would clearly be the most used web-server and Microsoft second. In overall there seems to be a varying bunch of web-servers used.

The chart shows the rest of the generic web-servers, which percentage was calculated on the amount of these. This was over 6 500 hits.

TOP-11 web servers (count at least 1 000)

Other generic web servers (count below 1 000)


5.2 WWW – Embedded servers and network router servers

The chart shows the TOP-20 embedded devices and network routers. This category got over 38 000 hits. Here are a few hits listed separately that did not fit in the TOP-list: EksosM, Conexant, Adapec, Netgear, Alcatel-Lucent.

5.3 WWW – Firewall, proxy and management servers

The chart shows the TOP-15 firewall, proxy and management servers, which amounted for over 6 500 hits. There were also other interesting services like Bomgar which did not fit in the TOP-list.

TOP-15 Firewall, proxy and management servers

TOP-20 Embedded devices and routers


5.4 WWW – Printer servers

There was nine different printer web servers identified from the data, amounting for over 1 700 hits. The below chart show, that HP printer web services are the most commonly exposed.

5.5 WWW – Media and surveillance servers

This category contains servers that stream media, like audio and video. It includes TVs, radios, DVB-systems and video surveillance systems and these amounted for 5 000 hits. Some interesting systems that did not fit in the TOP-list: Tandberg, Indigo Vision.

TOP-9 Printer web servers

TOP-25 Media / Surveillance servers


5.6 WWW – Possible SCADA-related servers

There were twenty different servers that may be SCADA-related. From the list we decided to remove the WinCE, which amounted for over 2 600 servers, but it is used mainly in small devices and can indicate these should not be accessible over the Internet. In total there were over 4 100 hits.

5.7 FTP ServersThis category contains the TOP-10 identified FTP servers that were found in the data. Amount of hits was over 49 000, which shows that FTP is still used a lot. TP-LINK and ProFTPD are the two most common servers, vsFTPd coming close behind.

TOP-10 FTP servers (60 % were unknown)

TOP-16 Possible SCADA servers (excluding 2 676 WinCE hosts)


5.8 SSH Servers

TOP-10 for the SSH servers was not a surprise for the OpenSSH and Dropbear servers. In total there were over 23 000 hits. Also the official SSH Secure Shell and Tectia SSH Servers were found, but did not fit into the TOP-list.

5.9 Telnet servers

The Telnet data contained over 17 000 hits. The surprise in the TOP-10 list is the amount of SIP/VoIP related devices and home routers. The UAV prompt may be from many devices, for example Cisco.

TOP-10 SSH servers

TOP-10 Telnet servers (32 % were unknown)


5.10 SMTP Servers

The TOP-10 list for SMTP contained over 79 000 hits with majority unknown. Postfix, Microsoft, Sendmail and Exim were expectedly on top of the list. There was also a fair amount of security SMTP gateways.

5.11 DNS Servers

There was not many different DNS servers present, amounting for over 11 000 hits. BIND is the most common DNS server. Over 20 % refused to reveal versions and dnsmasq came as third DNS server.

DNS servers

TOP-10 SMTP servers (84 % were unknown)


5.12 IMAP Servers

The amount of IMAP servers was over 8 500 hits. The Unknown contains the IMAP servers which did not contain much identifying information. Dovecot, UW Imap and Courier are the most common ones identified.

5.13 SNMP Servers

This category contains identified SNMP servers which responded to the “public” SNMP community string. There were over 17 000 hits. The Random category contains addresses, names and obscure serial numbers. Most com-mon appear to be home/SOHO router devices. In the data also SCADA related devices were identified.

TOP-10 IMAP servers

TOP-10 SNMP servers


5.14 MS SQL Servers

The version strings in the data was transformed to actual MS SQL server versions and service packs. There were about 1 000 hits in this category. The most common was MS SQL Server 2005 SP4, which is EOL. However, some 2005 versions are under extended support, according to Microsoft pages.

5.15 MySQL ServersThere were over 1 200 hits for different MySQL servers which returned the version string 590 hosts were removed from the results that informed that the host is unauthorized to connect to the server. Some relatively old versions were encountered.

MySQL servers

TOP-10 MS SQL servers


6 Vulnerability Analysis

If we look back one year and beyond regarding the generic vulnerability landscape for some service versions pre-sent in TOP-lists, the vulnerabilities were mostly in the denial of service (DoS) category. This was not an extensive mapping exercise, where vulnerabilities was analyzed thoroughly, but gave a general idea of the state of patching.

The Nixu Watson vulnerability management service processed the extracted service banners for some of the selected TCP ports we wanted to look at (FTP, SSH, SMTP, DNS, DB, WWW). There were 326 High-, 577 Medium- and 82 Low-level unique vulnerabilities having a Common Vulnerabilities and Exposures (CVE) identifier.

With many distributions backporting patches and vulnerabilities being also dependent on hardware architecture, the findings may be false. For operating systems and certain services there was no easy way to determine current patch levels, except for possible End-of-Life state of the product.

The above chart shows the distribution of CVEs between different protocols. In parentheses is the number of different software versions in the category. The WWW-add category includes technologies like OpenSSL, PHP, mod_jk and other modules which can be used in a web server.

High (326)

Medium (577)

Low (82)

Total amount of CVEs

33.10 %

58.58 %

8.32 %

High

Medium

Low

CVE distribution between protocols

FTP (51) SSH (56) DNS (3) SMTP (32) Database (84) WWW (209) WWW-add (258)

350

300

250

200

150

100

50

03 8

116 17

5 5 7 0 2

55

101

23

94

135

20

140

296

3113 13


The most vulnerable components from pure numeric viewpoint were old Apache and PHP versions. In total there was 693 different software versions present in the banner data. When examining the latest high-level vulnerabilities from each category, the following CVEs were found to be the most serious. No denial of service was included:

CVE-2011-4130: ProFTPD use after free remote code executionCVE-2012-0920: Dropbear SSH server use after free remote code executionCVE-2011-1407: Exim DKIM remote code execution

CVE-2009-2500: GDI+ could allow remote code execution in MS-SQLCVE-2012-0882: yaSSL buffer overflow allow remote code execution in MySQLCVE-2012-2965..CVE-2012-2967: Arbitrary code execution in ResinCVE-2012-1823 and CVE-2012-2311: PHP allows executing arbitrary code

The following number of versions per category did not have a high-level vulnerability present. A version in this case means for example Apache 1.3.12 or PHP 5.3.7 and so on:

FTP: 20 / 51SSH: 19 / 56DNS: 1 / 3SMTP: 6 / 32Database: 21 / 84WWW: 83 / 209WWW-additional: 89 / 258

Last year there was a high-level configuration mistake discovered in some F5 BigIP product installations. These contained a known SSH private key for the root user, which essentially allowed remote administrative-level access to the product. The exploitability of this vulnerability rely on the SSH service being open to the Internet. No cross-checking was made for the OS, service and open port information.

7 References

Internet Census 2012 project:http://internetcensus2012.bitbucket.org/

Downloadable data:http://internetcensus2012.bitbucket.org/download.html

Wikipedia article on Carna botnet:http://en.wikipedia.org/wiki/Carna_Botnet

CVE information:http://cve.mitre.org/about/index.html

Nixu Watson:http://www.nixu.com/en/solution/nixu-watson

Copyright © 2013 Nixu Oy/Ltd. All Rights Reserved.

Nixu Ltd is the largest consulting company for infor-mation security in the Nordic countries. Our cor-porate clients trust Nixu for developing, implement-ing and assessing their information security related processes and systems as an independent advisor. We ensure our clients’ information responsibility by taking care of business continuity, ease-of-access to digital services and customer data protection.

www.nixu.! Twitter: @nixutigerteam

Nixu LtdP.O. Box 39 (Keilaranta 15), FI-02151 Espoo, Finland

Telephone: +358 9 478 1011 Fax: +358 9 478 1030 VAT number: 0721811-7 Internet: www.nixu.!

analysis of the internet census data nixu october 2013

Documents

ports open

database ports

proxy ports

printing ports

sensitive ports

port analysis

unencrypted protocol

serviceprobe analysis