The scannings will continue until the Internet improves

March 28, 2014

LAST UPDATED: 2022-10-24

Introduction

The news and our networks have been full of articles and packets related to the different UDP amplification attacks that have been ongoing.  We and several other researchers have been looking at this problem for a while and while there are not any easy solutions we can at least make network owners more aware of the issues that we can see on their networks from the outside. This has led to some interesting results, most of which are not pleasant.

There are also a a large number of services that should not be exposed because they are usually trivial to exploit or abuse.  Some of these might expose data or even allow remote access to systems that should not be open to the public.

Scanning Project

This gave the birth to the scanning project.  We dropped a pile of gear in a colo, convinced our provider this was for the good of the internet, and started pushing the bounds of the networks as much as we could.  Our initial tests were hard and unpleasant, but we tuned, rewrote code, and finally have come up with a methodology that we hope is not too onerous for the end networks.

In some cases there has been a comedy of errors as both we and some of the recipients of our probes have tried to find out why devices would give results when they were never scanned in the first place. Imagine our surprise, for instance, when we sent hundreds of queries across hundred of destination IPs and received hundreds of replies from a completely different IP.

Protocols

Based on this report from the US-CERT and the wonderful write-up by Christian Rossow we plan on probing everything listed by both.  While we were at it, we added a few other ports/protocols of significant security interest. And we are constantly adding more!

There are links below to the scan results from our currently implemented protocols.  Those that don’t have links are on our “to-do” list.  Expect more interpretation of scan results in future posts. We also use these scans to fingerprint devices remotely by make-and-model. You can find results of this fingerprinting in the Device Identification report.

Amplification Protocols:

Botnet Protocols:

  • Conficker (TCP/445)
  • Gameover Zeus (Takedown by the FBI on 2014-05-30)
  • Sality
  • Zeroaccess

Protocols That Should not be Exposed Uncontrolled (Unnecessary attack surface):

Protocols That are Vulnerable:

ICS/SCADA/OT Protocols (Unnecessary possible critical industrial infrastructure attack surface)

All scan results for the protocols below are available in the Accessible ICS report.

Population Test Protocols:

  • HTTP (TCP/80 and multiple other ports) (IPv4/IPv6)
  • QUIC (UDP/443)
  • SMTP (TCP/25) (IPv4/IPv6)
  • SSH (TCP/22, TCP/2222) (IPv4/IPv6)
  • SSL TLS 1.3 (TCP/443 and multiple other ports) (IPv4/IPv6)
  • Teamviewer (TCP/5938) (IPv4/IPv6)

What can we do?

If you are not getting reports on your network please do so, you can see more details here. If you would like to contribute to help cover the costs of the project just email one of us.

Updates

2022

  • UPDATED: 2022-04-15 – Added OPC-UA-Binary
  • UPDATED: 2022-04-12 – Added HART
  • UPDATED: 2022-04-07 – Added CODESYS
  • UPDATED: 2022-04-06 – Added IEC 60870-5-104
  • UPDATED: 2022-04-05 – Added PC Worx
  • UPDATED: 2022-03-31 – Added MELSEC-Q
  • UPDATED: 2022-03-30 – Added ProConOS
  • UPDATED:  2022-03-26 – Added OMRON FINS
  • UPDATED: 2022-03-23 – Added EtherNET/IP
  • UPDATED: 2022-03-21 – Added SOCKS Proxy
  • UPDATED: 2022-03-18 – Added Crimson v3
  • UPDATED: 2022-03-17 – Added Bacnet
  • UPDATED: 2022-03-09 – Added DVR DHCPDiscover
  • UPDATED: 2022-03-08 – Added DNP3
  • UPDATED: 2022-03-03 – Added Tridium Niagara Fox
  • UPDATED: 2022-03-02 – Added Siemens S7
  • UPDATED: 2022-02-21 –  Added Modbus

2021

  • UPDATED:2021-11-30 – Added AMQP
  • UPDATED: 2021-05-17 – Added SMTP
  • UPDATED: 2021-04-22 – Added MS Exchange
  • UPDATED:  2021-01-19 – Added MS-RDPEUDP

2020

  • UPDATED:  2020-07-02 – Added Radmin
  • UPDATED: 2020-06-20 – Added CoAP
  • UPDATED:  2020-06-05 – Added IPP
  • UPDATED:  2020-03-12 – Added MQTT

2019

  • UPDATED:  2019-12-04 – Added SSH
  • UPDATED:  2019-08-02 – Added Apple Remote Desktop
  • UPDATED:  2019-07-18 – Added QUIC
  • UPDATED:  2019-06-01 – Added RDP Bluekeep
  • UPDATED:  2019-04-19 – Added SSL TLS 1.3 Alternative Port
  • UPDATED:  2019-04-12 – Added SSL TLS 1.3
  • UPDATED:  2019-03-04 – Added FTP SSL
  • UPDATED: 2019-02-04 – Added Ubiquiti

2018

  • UPDATED: 2018-11-06 – Added Apple Filing Protocol
  • UPDATED:  2018-10-17 – Added LDAP TCP
  • UPDATED:  2018-10-04 – Added Rsync
  • UPDATED:  2018-07-25 – Added Android Debug Bridge
  • UPDATED:  2018-07-19 – Added Alternative SSL Port
  • UPDATED:  2018-04-19 – Added TCP/8080
  • UPDATED:  2018-02-26 – Added UDP MemCached

2017

  • UPDATED:  2017-11-16 – Added Cisco Smart Install
  • UPDATED:  2017-11-16 – Added Alternative CWMP port
  • UPDATED:  2017-09-18 – Added Hadoop
  • UPDATED:  2017-05-16 – Added SMB
  • UPDATED:  2017-03-05 – Added VNC

2016

  • UPDATED:  2016-12-02 – Added CWMP
  • UPDATED:  2016-11-28 – Added Alternative Telnet
  • UPDATED:  2016-11-13 – Added Telnet
  • UPDATED:  2016-11-02 – Added LDAP (UDP)
  • UPDATED:  2016-09-22 – Added RDP
  • UPDATED:  2016-09-21 – Added ISAKMP
  • UPDATED:  2016-05-18 – Added XDMCP
  • UPDATED:  2016-05-18 – Added DB2
  • UPDATED:  2016-03-09 – Added TFTP
  • UPDATED:  2016-02-17 – Added mDNS

2015

  • UPDATED:  2015-09-20 – Added Synful Knock
  • UPDATED:  2015-09-15 – Added Portmapper
  • UPDATED:  2015-06-01 – Added Elastic Search
  • UPDATED:  2015-03-09 – Added SSL/FREAK
  • UPDATED:  2015-02-13 – Added MongoDB
  • UPDATED:  2015-02-08 – Added Open SSDP and Open SNMP project links
  • UPDATED:  2015-01-29 – Added MS-SQL
  • UPDATED:  2015-01-23 – Added MemCached
  • UPDATED:  2015-01-21 – Added REDIS
  • UPDATED:  2015-01-07 – Added NAT-PMP

2014

  • UPDATED:  2014-11-17 – Added SSLv3
  • UPDATED:  2014-08-28 – Added Netcore/Netis
  • UPDATED:  2014-07-01 – Added Quake and Steam
  • UPDATED:  2014-06-26 – Added IPMI and Gameover Zeus
  • UPDATED:  2014-06-12 – Added port numbers
  • UPDATED:  2014-03-26 – Added QOTD
  • UPDATED:  2014-03-26 – Added NetBIOS
  • UPDATED:  2014-03-26 – Added CharGEN
  • UPDATED:  2014-03-25 – Added NTP Mode 7 (monlist)
  • UPDATED:  2014-03-14 – Added NTP Mode 6 (version)
  • UPDATED:  2014-03-06 – Added SSDP
  • UPDATED:  2014-01-13 – Added SNMPv2

2013

  • STARTED:  2013-06-06 – Added DNS

Recent Articles