The scannings will continue until the Internet improves

March 28, 2014

LAST UPDATED: 2022-10-24

Introduction

The news and our networks have been full of articles and packets related to the different UDP amplification attacks that have been ongoing. We and several other researchers have been looking at this problem for a while and while there are not any easy solutions we can at least make network owners more aware of the issues that we can see on their networks from the outside. This has led to some interesting results, most of which are not pleasant.

There are also a a large number of services that should not be exposed because they are usually trivial to exploit or abuse. Some of these might expose data or even allow remote access to systems that should not be open to the public.

Scanning Project

This gave the birth to the scanning project. We dropped a pile of gear in a colo, convinced our provider this was for the good of the internet, and started pushing the bounds of the networks as much as we could. Our initial tests were hard and unpleasant, but we tuned, rewrote code, and finally have come up with a methodology that we hope is not too onerous for the end networks.

In some cases there has been a comedy of errors as both we and some of the recipients of our probes have tried to find out why devices would give results when they were never scanned in the first place. Imagine our surprise, for instance, when we sent hundreds of queries across hundred of destination IPs and received hundreds of replies from a completely different IP.

Protocols

Based on this report from the US-CERT and the wonderful write-up by Christian Rossow we plan on probing everything listed by both. While we were at it, we added a few other ports/protocols of significant security interest. And we are constantly adding more!

There are links below to the scan results from our currently implemented protocols. Those that don’t have links are on our “to-do” list. Expect more interpretation of scan results in future posts. We also use these scans to fingerprint devices remotely by make-and-model. You can find results of this fingerprinting in the Device Identification report.

Amplification Protocols:

CharGEN (UDP/19)
clDAP (UDP/389)
CoAP v1 & v2 (UDP/5693)
DNS (UDP/53)
DVR DHCP Discover (UDP/37810)
MemCached (TCP/11211, UDP/11211)
Mitel (UDP/10074)
MS-SQL (UDP/1434)
MS-RDPEUDP (UDP/3389)
NTP Version (UDP/123) (IPv4/IPv6)
NTP Monitor UDP/123)
PLEX SSDP (UDP/32414)
QOTD (UDP/17)
SNMPv2 (UDP/161) (IPv4/IPv6)
SSDP (UDP/1900) (IPv4/IPv6)
STUN (UDP/3478) (IPv4/IPv6)

Botnet Protocols:

Conficker (TCP/445)
Gameover Zeus (Takedown by the FBI on 2014-05-30)
Sality
Zeroaccess

Protocols That Should not be Exposed Uncontrolled (Unnecessary attack surface):

AMQP (TCP/5672)
Android Debug Bridge (TCP/5555)
Apple Filing Protocol (TCP/548)
Apple Remote Desktop (UDP/3283)
Cisco Smart Install (TCP/4786)
CouchDB (TCP/5984)
CWMP (TCP/7547, TCP/30005) (IPv4/IPv6)
DB2 (UDP/523)
Docker (TCP/2375)
Elastic Search (TCP/9200)
Erlang Port Map Daemon (EPMD) (TCP/4369)
FTP (TCP/21, TCP/2121) (IPv4/IPv6)
Hadoop (TCP/50070, TCP/50075)
IPMI (UDP/623)
IPP(TCP/631)
Kubernetes (TCP/6443, TCP/443)
LDAP-TCP (TCP/389)
mDNS (UDP/5353)
MemCacheD (TCP/11211)
Mikrotik (TCP/2000)
MongoDB (TCP/27017)
MQTT (TCP/1883, TCP/8883) (IPv4/IPv6)
MySQL (TCP/3306) (IPv4/IPv6)
NAT-PMP (UDP/5351)
NetBIOS (TCP/137 to 139)
Portmapper (UDP/111)
PostgreSQL (TCP/5432) (IPv4/IPv6)
RDP (TCP/3389) (IPv4/IPv6)
Radmin(TCP/4899)
REDIS (TCP/6379)
Rsync (TCP/873)
SMB (TCP/445). (IPv4/IPv6)
SOCKS/4/5 (TCP/1080)
SSDP (TCP/1900)
TFTP (UDP/69)
Telnet (TCP/23, TELNET/2323)
Ubiquiti Discovery Service (UDP/10001)
VNC (TCP/5900, TCP/5901) (IPv4/IPv6)
XDMCP (UDP/177)

Protocols That are Vulnerable:

Exchange (TCP/443)
ISAKMP (UDP/500)
Middlebox (TCP/80)
Netcore/Netis Router (UDP/53413)
SSL/FREAK (TCP/443 and others)
SSLv3/POODLE (TCP/443)
Synful Knock (TCP/80)

ICS/SCADA/OT Protocols (Unnecessary possible critical industrial infrastructure attack surface)

All scan results for the protocols below are available in the Accessible ICS report.

BACnet (TCP/47808)
CODESYS (TCP/1200, TCP/2455)
Crimson V3 (TCP/789)
DNP3 (TCP/20000)
EtherCAT (UDP/34980)
EtherNet/IP (TCP/44818)
GE-SRTP (TCP/18245)
HART (TCP/5094)
ICCP (TCP/102)
IEC 60870-5-104 (TCP/2404)
MELSEC-Q (TCP/5007)
Modbus (TCP/502)
OMRON FINS (UDP/9600)
OPC UA Binary (TCP/4840)
PC Worx (TCP/1962)
ProConOS (TCP/20547)
Siemens S7 (TCP/102)
Tridium Niagara Fox (TCP/1911)

Population Test Protocols:

HTTP (TCP/80 and multiple other ports) (IPv4/IPv6)
QUIC (UDP/443)
SMTP (TCP/25) (IPv4/IPv6)
SSH (TCP/22, TCP/2222) (IPv4/IPv6)
SSL TLS 1.3 (TCP/443 and multiple other ports) (IPv4/IPv6)
Teamviewer (TCP/5938) (IPv4/IPv6)

What can we do?

If you are not getting reports on your network please do so, you can see more details here. If you would like to contribute to help cover the costs of the project just email one of us.

Updates

2022

UPDATED: 2022-04-15 – Added OPC-UA-Binary
UPDATED: 2022-04-12 – Added HART
UPDATED: 2022-04-07 – Added CODESYS
UPDATED: 2022-04-06 – Added IEC 60870-5-104
UPDATED: 2022-04-05 – Added PC Worx
UPDATED: 2022-03-31 – Added MELSEC-Q
UPDATED: 2022-03-30 – Added ProConOS
UPDATED: 2022-03-26 – Added OMRON FINS
UPDATED: 2022-03-23 – Added EtherNET/IP
UPDATED: 2022-03-21 – Added SOCKS Proxy
UPDATED: 2022-03-18 – Added Crimson v3
UPDATED: 2022-03-17 – Added Bacnet
UPDATED: 2022-03-09 – Added DVR DHCPDiscover
UPDATED: 2022-03-08 – Added DNP3
UPDATED: 2022-03-03 – Added Tridium Niagara Fox
UPDATED: 2022-03-02 – Added Siemens S7
UPDATED: 2022-02-21 – Added Modbus

2021

UPDATED:2021-11-30 – Added AMQP
UPDATED: 2021-05-17 – Added SMTP
UPDATED: 2021-04-22 – Added MS Exchange
UPDATED: 2021-01-19 – Added MS-RDPEUDP

2020

UPDATED: 2020-07-02 – Added Radmin
UPDATED: 2020-06-20 – Added CoAP
UPDATED: 2020-06-05 – Added IPP
UPDATED: 2020-03-12 – Added MQTT

2019

UPDATED: 2019-12-04 – Added SSH
UPDATED: 2019-08-02 – Added Apple Remote Desktop
UPDATED: 2019-07-18 – Added QUIC
UPDATED: 2019-06-01 – Added RDP Bluekeep
UPDATED: 2019-04-19 – Added SSL TLS 1.3 Alternative Port
UPDATED: 2019-04-12 – Added SSL TLS 1.3
UPDATED: 2019-03-04 – Added FTP SSL
UPDATED: 2019-02-04 – Added Ubiquiti

2018

UPDATED: 2018-11-06 – Added Apple Filing Protocol
UPDATED: 2018-10-17 – Added LDAP TCP
UPDATED: 2018-10-04 – Added Rsync
UPDATED: 2018-07-25 – Added Android Debug Bridge
UPDATED: 2018-07-19 – Added Alternative SSL Port
UPDATED: 2018-04-19 – Added TCP/8080
UPDATED: 2018-02-26 – Added UDP MemCached

2017

UPDATED: 2017-11-16 – Added Cisco Smart Install
UPDATED: 2017-11-16 – Added Alternative CWMP port
UPDATED: 2017-09-18 – Added Hadoop
UPDATED: 2017-05-16 – Added SMB
UPDATED: 2017-03-05 – Added VNC

2016

UPDATED: 2016-12-02 – Added CWMP
UPDATED: 2016-11-28 – Added Alternative Telnet
UPDATED: 2016-11-13 – Added Telnet
UPDATED: 2016-11-02 – Added LDAP (UDP)
UPDATED: 2016-09-22 – Added RDP
UPDATED: 2016-09-21 – Added ISAKMP
UPDATED: 2016-05-18 – Added XDMCP
UPDATED: 2016-05-18 – Added DB2
UPDATED: 2016-03-09 – Added TFTP
UPDATED: 2016-02-17 – Added mDNS

2015

UPDATED: 2015-09-20 – Added Synful Knock
UPDATED: 2015-09-15 – Added Portmapper
UPDATED: 2015-06-01 – Added Elastic Search
UPDATED: 2015-03-09 – Added SSL/FREAK
UPDATED: 2015-02-13 – Added MongoDB
UPDATED: 2015-02-08 – Added Open SSDP and Open SNMP project links
UPDATED: 2015-01-29 – Added MS-SQL
UPDATED: 2015-01-23 – Added MemCached
UPDATED: 2015-01-21 – Added REDIS
UPDATED: 2015-01-07 – Added NAT-PMP

2014

UPDATED: 2014-11-17 – Added SSLv3
UPDATED: 2014-08-28 – Added Netcore/Netis
UPDATED: 2014-07-01 – Added Quake and Steam
UPDATED: 2014-06-26 – Added IPMI and Gameover Zeus
UPDATED: 2014-06-12 – Added port numbers
UPDATED: 2014-03-26 – Added QOTD
UPDATED: 2014-03-26 – Added NetBIOS
UPDATED: 2014-03-26 – Added CharGEN
UPDATED: 2014-03-25 – Added NTP Mode 7 (monlist)
UPDATED: 2014-03-14 – Added NTP Mode 6 (version)
UPDATED: 2014-03-06 – Added SSDP
UPDATED: 2014-01-13 – Added SNMPv2

2013

STARTED: 2013-06-06 – Added DNS

« Back to News & Insights