Analysis of The Internet Census Data Nixu October 2013

Analysis of the Internet Census data
The Finnish Cyber Landscape October 2013
Contents
1 Foreword .......................................................................................................... 4 1.1 2 Disclaimer .............................................................................................. 4
Analysis Summary ............................................................................................ 5 2.1 2.2 2.3 2.4 2.5 Unencrypted protocols ........................................................................... 6 Web interfaces ....................................................................................... 7 SCADA .................................................................................................. 8 The vulnerability landscape ..................................................................... 8 Recommendations ................................................................................. 9
Operating System analysis .............................................................................. 11 3.1 3.2 3.3 3.4 3.5 3.6 3.7 TOP-20 all fingerprints .......................................................................... 12 Linux kernel versions ............................................................................ 13 Windows versions ................................................................................ 13 Firewall / Switch / Router devices ............................................................ 14 Home router devices ............................................................................ 14 Printer devices ..................................................................................... 15 Possible SCADA systems ..................................................................... 15
Port analysis ................................................................................................... 16 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 TOP-40 port list.................................................................................... 17 Ports open, counted by hosts .............................................................. 18 Database ports .................................................................................... 21 Unencrypted protocol ports.................................................................. 21 Management interface ports ................................................................. 22 Proxy ports........................................................................................... 22 Denial of service ports .......................................................................... 23 Printing ports........................................................................................ 23 Other sensitive ports ............................................................................ 23 Firewall data comparison ...................................................................... 24
October 2013
Serviceprobe analysis ..................................................................................... 25 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 Www Generic Web-servers ............................................................... 26 Www Embedded servers and network router servers ........................ 27 Www Firewall, proxy and management servers.................................. 27 Www Printer servers .......................................................................... 28 Www Media and surveillance servers................................................. 28 Www Possible SCADA-related servers .............................................. 29 FTP Servers ......................................................................................... 29 SSH Servers......................................................................................... 30 Telnet servers ....................................................................................... 30 SMTP Servers ...................................................................................... 31 DNS Servers ........................................................................................ 31
5.12 IMAP Servers ....................................................................................... 32 5.13 SNMP Servers...................................................................................... 32 5.14 MS SQL Servers .................................................................................. 33 5.15 MySQL Servers .................................................................................... 33 6 7 Vulnerability Analysis ....................................................................................... 34 References ..................................................................................................... 35
October 2013
1 Foreword
A huge amount of data titled Internet Census 2012 was released earlier this year. It was acquired with a botnet named Carna between June and October 2012, which used insecure embedded devices to scan the Internet: Overall Internet Census 2012 project information:
420
MILLION IP ADDRESSES THAT RESPONDED TO ICMP PING AT LEAST TWO TIMES BETWEEN JUNE 2012 AND OCTOBER 2012.
The data contains a lot of different scan information, like open ports, trace routes, reverse DNS queries and much more. This information provides an overview of what the Internet looked like during the time period. This data was made publicly available through the BitTorrent network. We at Nixu decided to take a look at the data from a Finnish viewpoint and this report covers the results of this analysis. Main data items we considered interesting was operating system statistics, TCP port statistics and the results of some service probes which contain the actual server responses. In addition it provided a view into systems and services which should not be directly available from the Internet. There were 13,782,236 Finnish IP addresses in our list. We isolated data associated to these IP addresses from the complete data set. This subset was further processed and analyzed to generate statistics and draw conclusions. No correlation was done between the analyzed data sets. Analysis was done by Nixus Security Intelligence and Research team (Nixu SIR).
1. 1 Disclaimer
Even though the data has been acquired unethically by hacking into devices and utilizing these for scanning the Internet, doing analysis on data released to public domain should only be viewed as a research exercise. We think that the data is likely authentic, but there are no guarantees it is not manipulated or crafted. Also note that properly rewalled servers are not included in the data. We do not have any supporting numbers available on the total amount of Internet-connected devices that could have been fully rewalled or shut down during the port scan activity, which could have added to the analysis as another way of indicating the network posture. When viewing this report, bear in mind that it is based only on the publicly available data, accurate or not. Even thought the scan has been done some time ago, we do not believe the overall picture has changed that much.
October 2013
2 Analysis Summary
Finland is said to have one of the cleanest network environments, at least in terms of malware infections. However, there are potentially serious weaknesses in the Finnish cyber landscape. A basic network reconnaissance provided by the Internet Census scan revealed that most of the over 500.000 hosts scanned have a relatively healthy number of ports open (94.6%).
Healthy amount of open ports (4 and less)
5.44 % OK (481 692) Not OK (27 697) 94.56 %
This means the attack surface is smaller with these hosts, but still there are tens of thousands of Internet-connected hosts with practically open doors for attackers. All these contribute to the available attack surface a potential attacker can try to utilize. Whether it is a common ADSL router used by thousands of end-users or one corporate printer sitting directly on the Internet, security could potentially be compromised.
This in essence means that there are thousands of Internet-connected devices and information systems that are prone to eavesdropping, information gathering and other abuse even with a limited hacking skill set.
The Internet Census data can be used as a valid source for reconnaissance intelligence into services running at governmental entities, industries and organizations, without the need to actively probe their networks. An attacker could for example map the services used across the globe to enable global exploitation of widely used and vulnerable services. He could also pinpoint one single Internet-connected device to use as an entry point into the selected target organization. We believe that the scan revealed just the tip of the iceberg of the weaknesses in Finnish networks in overall when taking into consideration also the application-level vulnerabilities. Nixu has done hundreds of security assessments of systems owned by different organizations and governmental entities and our ndings support this conclusion. Four in ve systems we have assessed have multiple vulnerabilities that for example allow bypassing access controls which leads to unauthorized access of condential data.
October 2013
The perimeter security is usually on a good level but when inside, things tend to get worse. On technical level the focus still tends to be perimeter-centric revolving around rewalls and intrusion detection systems and such. Vulnerability management, system hardening and application-level security should be bolstered. Perimeter defense alone isnt sufcient to protect against cyber threats. Organizations should take the time to verify their Internet exposure. Regular scanning of own networks and taking action based on the results is a recommended practice. It is worth mentioning that the data has been collected during the period of ve months and analyzing this amount of data takes up resources, even with limited scope. The following chapters take a deeper look into some of the identied problem areas.
2.1 Unencrypted protocols

There is a relatively high number of devices running unencrypted protocols like FTP (File Transfer Protocol) and Telnet. If these insecure methods are actively used to transfer les and manage systems, they make it possible for an attacker to capture authentication credentials from the wire. The likelihood of the credentials being captured is signicant when establishing connections from another country, in light of the latest NSA revelations. For example, United Kingdoms GCHQ captures all trafc passing their Internet exchange points and France does their own monitoring. One of the largest European Internet exchange points is located in Germany. The FRA in Sweden is in essence capable of monitoring all of the outbound Finnish Internet trafc and it has been revealed that they provide access to NSA. If, for example, governmental systems like Internet-facing routers have been managed abroad using unencrypted protocols, it could have enabled a nation-state actor to utilize the information for malicious purposes like espionage. Access to a router can help gaining access deeper into the governmental network or altering the route outbound trafc takes. The same applies to other ports used to manage servers, like the Windows RPC, NetBIOS and SMB ports, the Terminal Services and VNC remote access tools. The Terminal Services and some VNC versions can use SSL to encrypt the trafc, but having these open to the Internet makes them prone to brute force attacks.
Selection of port types

1.03 % 2.84 % 30.94 % 6.58 %
Secure mgmt (83 494) Insecure mgmt (90 874) Insecure FTP (67 286) Proxy ports (17 760)
33.68 % 24.94 % Databases (7 650) Printers (2 777)
FTP is a good solution to use if it is used only to serve public les anonymously.
October 2013
2.2 Web interfaces

Other important targets are the web-based management interfaces. We do not refer to typical web servers, but the web interfaces provided by different embedded devices, printers, routers, surveillance devices etc. Web servers
0.51 % 1.24 % 1.51 % 1.97 % 83.26 %
Generic (275 000) Embedded/Router (38 000) Management/FW/Proxy (6 500) Media/Surveillance (5 000) 11.51 % SCADA (4 100) Printer (1 700)
After a successful installation of a product, no additional conguration hardening is usually done to the device, leaving for example the web-based management interface listening on all possible network interfaces. When the device is directly connected to the Internet, with specic device types probably by mistake, it enables anyone on the Internet to connect to the offered resources. Such uncongured devices can have vendors default administrative credentials, unwanted services like Telnet and SNMP (Simple Network Management Protocol) and many other issues in place. In worst case there is no password set at all. The web-based management interface can also have exploitable vulnerabilities just like typical web applications do. The interfaces can enable an attacker to gain foothold on the device and information stored on it. For example certain printer models often have a hard disk which stores the printed documents for a period of time, which can give the attacker access to sensitive documents. In addition devices offering SNMP by default with known community strings can give an attacker a wealth of information regarding internal network conguration and listening processes to use in further attacks.
Eventually having foothold on an uncongured device can lead to a situation where the attacker is able to modify and use the device to penetrate deeper into an organization network. This can lead to sensitive information and IPR leaking into the wrong hands.
If an organization has networked security cameras or video conferencing systems open for all to use and spy on, it offers many new intelligence gathering methods and attack vectors to a malicious party. Operators selling broadband and Internet services to organizations and consumers many times have their own preferred devices and brands they offer. It can be that many of these devices offer the interfaces by default, which the seller and buyer are not aware of. Another possible reason can be that buyers get the devices directly from retailers and lack the needed know-how on setting up the devices in a secure manner.
October 2013
The discussed unencrypted protocols, SNMP and web interfaces contribute the most to the available attack surface. Most of the already discussed TCP ports, based on our half-year rewall data analysis, are in the TOP-10 what attackers are looking for. The attackers probably try to nd services offering a login possibility, which can then be attacked with dictionary and brute force password guessing attacks.
2.3 SCADA
There appears to be ICS/SCADA related devices directly connected to the Internet. Even though the number is not very high, an attacker can utilize for example the Internet Census or Shodan search engine (http://www.shodanhq.com/) data for initial reconnaissance to nd desired targets. The devices might be serial device servers, Ethernet-to-Serial bridges, Serial-to-IP converters, communication processors, building management systems, embedded controllers, environmental controllers, data loggers and automation systems which can control different types of processes, energy and drive engineering. The products can have exploitable vulnerabilities, hard-coded passwords and default congurations that are exploitable by an attacker. These can help gain access to the environment or cause substantial damage to whatever the devices are controlling. Obviously such systems should not be directly placed on the Internet.
2.4 The vulnerability landscape

Vulnerability is a aw in computer software or conguration which, if exposed, allows an attacker to exploit it for unintended consequences. Such unintended consequences can for example be a crash of the software, execution of attacker-provided code with the privileges of the affected process or unauthorized access to data. We provided the Nixu Watson vulnerability management service (http://www.nixu.com/en/solution/nixuwatson) a list of extracted service banners for many of the vendors in the TOP-lists presented in Chapter 5. The services we focused on were FTP (le transfer protocol), SSH (Secure Shell), SMTP (Simple Mail Transfer Protocol, DNS (Domain Name System), DB (databases) and WWW (Web servers and additional web server components like PHP). Total amount of CVEs
33.10 %
8.32 %
High (326) Medium (577)
58.58 %
Low (82)
The above chart shows the amount of unique vulnerabilities Nixu Watson discovered based on the banner versions. There were potentially 326 High-level, 577 Medium-level and 82 Low-level vulnerabilities present in the list of 693 different software versions. (See Chapter 6 for more details)
October 2013
The most vulnerable service category was the web servers and related additional web-based components; especially older versions of Apache and PHP. Based on our analysis the typical role for a server in Finland offering services to the Internet is an Apache HTTP server. In overall, based on the vulnerability data there was thousands of vulnerable systems present during the scan period.
Another troubling discovery is that there are databases, the crown jewels for many, directly open to the Internet. A well congured and hardened database that is kept updated may be relatively secure, but in our opinion it is still not an advisable practice. HTTP, HTTPS, SSH, FTP, Telnet and SMTP are the protocols which are most commonly available in the Finnish landscape. (See chapter 4.1 TOP-40 port list) For these protocols there are also one or two specic server software that dominate the landscape, making any remotely exploitable vulnerability in these a lucrative target for the attackers, if they aim to get as many systems as possible under their control.
2.5 Recommendations
It is recommended for an organization to verify what assets it has directly connected to the Internet. If it turns out there are devices that should not be directly accessible, place them behind a properly congured rewall in the correct network segment. This allows control on what internal or external networks can connect to them. If the conguration or software/rmware patch level of the asset contains clear deciencies which an attacker could have exploited, performing an assessment or re-installation and conguration of the asset is advisable assuming such actions are possible. Using encrypted protocols for remote management, such as SSH with public key authentication or VPN, is strongly recommended. In case Telnet is the only option, this should be placed listening on a separate network interface not visible to the Internet, and which allows access only from a management network segment. The brute force potential in many of the mentioned management services can be tackled with the SSH public key authentication, if that is a viable option. For web-based interfaces the mechanism has to be built-in. If FTP is supposed to be used with real credentials to access les, use an FTP server that uses SSL. Another alternative is to use SFTP or SCP, which are part of SSH software package. Operators that sell devices to customers and organizations are recommended to analyze the available attack surface of their products, harden the congurations and offer pre-congured devices. It is also advisable to provide proper instructions on how to take a device securely into use. This doesnt however solve the customer direct buy problem. Only sensible way to solve this problem is to require the manufacturers to provide the devices in a secureby-default conguration.
October 2013
As a suggestion, this could be included in the Finnish Cyber Security Strategy as one point to enforce, to ensure operators provide citizens and organizations devices with hardened congurations. Countries should together push a global initiative to require that manufacturers ship the devices and software in a secure-by-default conguration.
Organizations should also have clear policies on how devices should be congured, placed on the network and managed, to ensure these pose minimal risk to the rest of the organization network. Proper vulnerability management processes ensure hosts are kept updated with the latest patches. For the SCADA devices there is a simple recommendation. If connecting from a remote location is absolutely necessary, these should be heavily rewalled or behind VPN (Virtual Private Network) connection. Additionally, allowing only a small set of IP-addresses and trusted users is advisable. Databases should preferably be run in their own rewalled segment with restricted access to the database port. Alternatively, on systems running both the application and database, the database should be set to listen only on a local port or socket to minimize the available attack surface. From national security perspective it would be a very interesting exercise to do a more in-depth analysis of the governmental and critical infrastructure networks and systems, with actual cross-references of the different data sets and vulnerability information available. This could give the government an initial tool to start the work in analyzing the available attack surface and possible threats regarding their Internet presence, and improve security as a part of the Finnish Cyber Security Strategy.
October 2013
10
3 Operating System analysis

The operating system data was extracted out of the data sets. We did the required comparisons against the NMap OS database. In total there were over 119 000 ngerprints present in the data. This data was divided in different categories containing the most common vendors / products in the category. The categories were selected for following reasons:
All ngerprints Provides an overview of all the vendors / products. Common OS Shows the most common typical operating systems that are run on servers, computers and in some cases, consumer devices. Linux kernel This helps determining if there are very old and possibly insecure systems present out there. It also shows the adoption of the new 3.x series kernels. Windows versions Breakdown of Windows OSes directly contributes to the vulnerability landscape, describing how many old systems exist that may be vulnerable to attack Firewall / Switch / Routers Getting an overview of the most used network equipment helps build a picture on what types of systems are used in typical Finnish Internet infrastructure Home router devices Knowledge of commonly used home networking products helps in identifying possible risk against end users Printer devices Printers directly accessible from the Internet is not a good corporate policy. From risk perspective these should not be on the Internet. ICS/SCADA devices These are systems that denitely should not be directly on the Internet and abuse of these can have big consequences.
October 2013
11
3.1 TOP-20 all fingerprints

Below is the combined TOP-20 list of all the encountered ngerprints of different devices and operating systems, followed by a chart showing the spread of typical/common operating systems which most people are familiar with. The common operating systems accounted for over 61 000 hits, which is a bit over half of all the ngerprints present. This indicates there are a lot of different devices like routers, ADSL/cable modems, printers and other items directly accessible over the Internet. One interesting observation was over 150 Blue Coat systems, which didnt t in the chart.
TOP-20 of all ngerprints
TOP-15 Common OS / Systems
October 2013
12
3.2 Linux kernel versions

There were over 43 000 hits for different IPs identied as Linux. This is a breakdown of the actual Linux kernel versions. The majority of the systems were still running the 2.6 series, but there is still systems running 2.4 and below. Some may be embedded systems in spite of the attempts to exclude them. Current Linux distributions are moving to 3.x versions. The 2.6 series started in December 2003 and 3.x series in July 2011.
Linux kernels
3.3 Windows versions

Microsoft Windows operating systems were running on 14 000 hosts. Following chart shows the different versions seen in the data. The amount of Windows Server 2000 and Windows XP is quite high, 1/5 of the identied hosts. Considering these are not supported anymore, it may pose a serious risk to the systems. (XP has extended support to year 2014).
Microsoft Windows
October 2013
13
3.4 Firewall / Switch / Router devices

We grouped specic rewall, switch and routing devices into one graph, which resulted in 17000 hits. Interestingly there are quite many Symantec gateway installations. Cisco and 3Com are the most common technologies related to routing.
TOP-15 FW / Router / Switch vendors
3.5 Home router devices

Over 10 000 devices were identied as typical ADSL, cable or 3G routers. Also other LAN/WLAN devices were found. These are usually used in home or SOHO environments. Some devices might still be used only in businesses.
TOP-15 Home routers
October 2013
14
3.6 Printer devices

There was plenty of printing related devices, account for over 3 500 hits. Some printers that did not t the chart are for example Dell, Kyocera, Kodak and Konica. These should most probably not be directly connected to the Internet.
TOP-10 Printer vendors
3.7 Possible SCADA systems

Different types of possible SCADA systems, remote access controllers and management interfaces were discovered in the data. Some of the controllers and interfaces may be purely for servers. These accounted for over 2 900 hits. Interestingly, these kinds of systems should usually not be directly accessible over the Internet. On separate note there were also NAS and tape library devices (527 hits).
Possible ICS / SCADA systems
October 2013
15
4 Port analysis
The data contained TCP synscan results and in addition some UDP results. We decided to skip analysis of the UDP because of the possibility of having unreliable results, and focused mainly on the TCP results. There were over 500 000 IP-addresses present in the data. The following chapters will give an overview on what the most common ports are and what kind of services the majority of the hosts are running. Also analysis was made on how many different ports were open for specic service types. These specic service types were selected for following reasons:
Databases Databases are typically the crown jewel attackers are looking for and it can be risky to offer these to the Internet Unencrypted protocols These protocols are easily intercepted, especially if using these in a hostile environment. In light of recent events, usage is not advised. Management interfaces Interfaces like these should in general be available only from networks that are considered adequately secure, offering many times keys to the kingdom Different proxies Services, when wrongly congured, can allow an attacker to hide his tracks or attack deeper into the organization Denial of service Breakdown of these may help understand the possible amount of Finnish hosts that could be used in DoS attacks Possibly sensitive ports Mistakes in conguring servers may expose services which allow an attacker to gain more information about a target
Finally we compared what ports typically get scanned and how many hosts have the scanned ports open. This gives an overview of the likelihood or time and resources an attacker has to use to nd a host with the port open he is looking for.
October 2013
16
4.1 TOP-40 port list

This chart shows the TOP-40 ports that are open in the scanned hosts. Majority of the hosts run a service on port 80 and/or 443, which are usually HTTP and HTTPS. Remote access ports SSH and Telnet are also high on the list, in addition to FTP, SMTP and DNS services. These, except for Telnet, are quite typical services that are open to the Internet. It is worth mentioning that the port number used in VoIP systems is in TOP-10 selection. Top
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
Amount
404 370 94 244 83 494 67 286 55 019 43 920 25 637 17 725 10943 9 819 9 667 9 191 8 548 8 064 7 958 7 824 7 521 7 510 7 073 6 645 6 391 5 972 5 938 5 693 3 893 3 727 3 642 3 590 2 840 2 685 2 590 2 356 2 189 1 977 1 645 1 638 1 611 1 546 1 489 1 435
Port
80 (HTTP) 443 (HTTPS) 22 (SSH) 21 (FTP) 23 (Telnet) 25 (SMTP) 53 (DNS) 8 080 (Proxy) 49 152 (?) 5 060 (SIP) 143 993 110 49 154 135 1 723 139 3 389 995 3 306 111 5 900 554 445 10 000 587 465 113 179 548 515 8 443 1 720 81 20 8 000 2 001 2 000 1 025 5 666
October 2013
17
4.2 Ports open, counted by hosts

This list shows the amount of ports open counted by the amount of hosts. It gives an overview of the attack surface an attacker can have available. The higher the amount of open ports, the higher probability there is of nding a vulnerable service on a specic host. Typically a server dedicated to one specic task should have only a couple of services open. When a server acts in a multi-purpose role the port count is higher, to a certain level. Five open ports and above starts indicating there is denitely a lack of proper hardening and improper usage of rewall technology. Hosts that have over 20 open services raise questions how it is possible to have so many ports open, from a security perspective. The answers cant really be known, it could be erroneous responses to received packets, dynamically opened client ports or some host-based IPS system which makes the port scan results unreliable by showing a lot of ports open.
Open ports
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1620 2125 2632 3348 4968 71100 101150 151201 206245
Amount of hosts
321 184 86 042 31 498 42 968 12 745 4 614 2 518 1 809 1 194 1 068 839 960 403 311 146 247 42 8 184 209 114 146 115 15
The following charts show what the open ports are for hosts that have up to four ports open. This gives an overview what the majority of the landscape looks like in terms of open ports. As a summary, the majority of scanned hosts act in web server roles. The more ports are open, the more diverse it gets what is open on the hosts.
October 2013
18
Majority of the hosts have only one port open, which is HTTP. This means that most of the hosts scanned act as web servers and is the most useful port for an attacker when looking for live targets.
TOP-25 ports for 1 open port
About 64 % of hosts which have two ports open are serving HTTP and/or HTTPS, which again increase the attack surface on the web server side. 10 % of hosts also have SMTP open.
TOP-25 ports for 2 open ports
October 2013
19
Hosts having three ports open still has a large share of web server related ports open, but is more diversied in available services. Most common services are HTTP, HTTPS, FTP, SSH and Telnet.
Interestingly, when hosts have four ports open, most of the open the services a host has are HTTP, SSH, FTP and Telnet services. An organization (or home users) may want to provide own web pages, remote access and a le service to the Internet, but having also the Telnet port open is a mystery. These could be badly congured home router systems.
October 2013
20
4.3 Database ports

This lists the default ports of some databases we decided to look at: MS-SQL, MongoDB, PostgreSQL, DB2, Sybase, Oracle, and MySQL. Databases should never be directly exposed to users as it provides means to abuse software vulnerabilities, weak password policies and default conguration more easily.
Amount
6 645 872 102 16 13 1 1
Port
3 306 1 433 523, 500xx, 600xx 5 432 152x 2 048 27 019
Database
MySQL MS-SQL DB2 PostgreSQL Oracle Sybase MongoDB
4.4 Unencrypted protocol ports

Unencrypted protocols do not provide any transport layer protection, which in essence allows capturing credentials from network trafc. Network devices many times have Telnet enabled by default and SSH needs to be enabled separately. This indicates lack of hardening. These services should in general be replaced with more secure counterparts, if possible, and most of them should not be open to the Internet.
Amount
67 286 55 019 1 043 46 25
Port
21 23 514 513 512
Service
FTP Telnet rshell rlogin rexec
October 2013
21
4.5 Management interface ports

!"# $%%&'&(n to the above Telnet and r-services there are other common management interface ports that allow remote administration or access to hosts. Many of these do not by default encrypt the data in transit but requires some conguring or an additional component to secure the transport layer, for example by tunneling it over SSH. There is usually no good reason to provide these ports, except for the SSH with public key authentication, directly over the Internet. Even on internal networks access should be restricted to certain IP-addresses or management networks, if possible.
Amount
83 494 7 958 7 521 7 510 6 038 5 693 12 9
Port
22 135 139 3 389 580x, 590x 445 5 631 4 899
Service
SSH MS-RPC NetBIOS RDP VNC SMB PCAnywhere Radmin
4.6 Proxy ports

The ports below are commonly associated with proxy ports. Attackers (and users) are constantly looking for open proxies to hide their tracks or bypass some country-level ACLs set by different services. Keep in mind that port 8080 is commonly associated also with Apache Tomcat. In worst case a wrongly congured proxy could allow remote access to internal assets and result in organizationwide compromise. There is usually no reason to have an internally used proxy directly accessible over the Internet.
Amount
17 725 12 11 11 1
Port
8 080 1 080 3 128 9 415 33 849
Service
Multiple Socks Squid PPLive Socks
October 2013
22
4.7 Denial of service ports

Typical services used in denial of service attacks against a third party are UDP-services, especially echo, chargen and DNS services. The attack is executed so that the attacker spoofs the source address with the target IP address, thus any responses will be directed at the target. We found that there was a fairly low amount of these TCP ports open, except for the DNS. Many times if these are enabled as TCP services, the services have also the UDP port enabled. Existence of these ports indicate lack of proper hardening, as these are default services with no real use and these should be disabled (the DNS may actually be in use). The problem with DNS is that it can be miscongured as an open resolver, which can be used in amplication attacks.
Amount
25 637 62 50 41 40
Port
53 7 13 37 19
Service
DNS Echo Daytime Time Chargen
4.8 Printing ports

Network-enabled printers allow printing without being connected to one with a cable. Also operating systems can share printers to the rest of the network. It is not recommended to leave these printing services should directly on the Internet because of the obvious possibility of abuse and data leak. Printers also tend to have administrative interfaces and it is always possible that these have default conguration in place. Like any software, printers can contain exploitable vulnerabilities.
Amount
2 590 136 50 1
Port
515 631 9 100 1 782
Service
LPD CUPS HP JDirect HP-HCIP
4.9 Other sensitive ports

This is a small selection of sensitive ports that should not be directly on the Internet, which by no means is a comprehensive list. These would allow further enumeration and possibly further access to resources.
Amount
6 391 1 401 130 45 18
Port
111 600x 389, 636 1 900, 2 869 2 049
Service
Portmapper X Windowing System LDAP uPnP NFS
October 2013
23
4.10 Firewall data comparison

Nixu collects rewall data and analyzes from time to time what ports are typically scanned by attackers and malware. This chart is a comparison on how often a specic port is targeted and how many there is actually open, based on half years rewall data. A zero result can mean that the Internet Census did not include the port in the port scan. Top
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
Open
5 693 83 494 55 019 872 7 510 7 958 17 725 6 645 404 370 5 972 94 244 43 920 9 7 521 8 548 67 286 2 356 12 11 0 10 12 1 16 28 0 1 638 16 1 1 9 667 0 0 208 1 18 1 977 0 25 637 0
Port
445 (Netbios) 22 (SSH) 23 (Telnet) 1 433 (MS-SQL) 3 389 (RDP) 135 (MS-RPC) 8 080 (Proxy) 3 306 (MySQL) 80 (HTTP) 5 900 (VNC) 443 25 4 899 139 110 21 8 443 1 080 3 128 5 038 6 666 5 631 30 670 5 901 8 081 3 790 8 000 8 088 6 675 8 880 143 6 674 65 500 88 8 090 9 090 81 3 127 53 44 609
October 2013
24
5 Serviceprobe analysis
We decided to take a look at protocols that provide server response information in a relatively easy, human readable form. Almost all of these were present in the TOP-10 open ports list or are scanned relatively often. This data, if analyzed in-depth, can give an overview of the general vulnerability landscape which was present nearly a year ago. For this paper we mainly focused on the high-level vendors/products to get an understanding of the most used software, except for the MS-SQL and MySQL data which contain only version numbers. We took the most common web-based ports, and combined these into a one large data set, then attempted to identify the server versions. Ports acquired were 80, 81, 82, 83, 8 000, 8 080, 8 880, 8 888, 443 and 8 443. The data was divided into different categories. For many IPs there were multiple requests present in the data, and no attempt was made to make results unique. This skews the results a bit. We also extracted data from FTP (21), SSH (22), Telnet (23), SMTP (25), DNS (53), SNMP (161), IMAP (143), MS SQL (1 434) and MySQL (3 306).
October 2013
25
5.1 WWW Generic Web-servers

The chart below shows the TOP-11 web-servers encountered in the data. There were over 275 000 hits in total for web-server. Based on the hits, Apache would clearly be the most used web-server and Microsoft second. In overall there seems to be a varying bunch of web-servers used.
TOP-11 web servers (count at least 1 000)
The chart shows the rest of the generic web-servers, which percentage was calculated on the amount of these. This was over 6 500 hits.
Other generic web servers (count below 1 000)
October 2013
26
5.2 WWW Embedded servers and network router servers

The chart shows the TOP-20 embedded devices and network routers. This category got over 38 000 hits. Here are a few hits listed separately that did not t in the TOP-list: EksosM, Conexant, Adapec, Netgear, Alcatel-Lucent.
TOP-20 Embedded devices and routers
5.3 WWW Firewall, proxy and management servers

The chart shows the TOP-15 rewall, proxy and management servers, which amounted for over 6 500 hits. There were also other interesting services like Bomgar which did not t in the TOP-list.
TOP-15 Firewall, proxy and management servers
October 2013
27
5.4 WWW Printer servers

There was nine different printer web servers identied from the data, amounting for over 1 700 hits. The below chart show, that HP printer web services are the most commonly exposed.
TOP-9 Printer web servers
5.5 WWW Media and surveillance servers

This category contains servers that stream media, like audio and video. It includes TVs, radios, DVB-systems and video surveillance systems and these amounted for 5 000 hits. Some interesting systems that did not t in the TOPlist: Tandberg, Indigo Vision.
TOP-25 Media / Surveillance servers
October 2013
28
5.6 WWW Possible SCADA-related servers

There were twenty different servers that may be SCADA-related. From the list we decided to remove the WinCE, which amounted for over 2 600 servers, but it is used mainly in small devices and can indicate these should not be accessible over the Internet. In total there were over 4 100 hits.
TOP-16 Possible SCADA servers (excluding 2 676 WinCE hosts)
5.7 FTP Servers

This category contains the TOP-10 identied FTP servers that were found in the data. Amount of hits was over 49 000, which shows that FTP is still used a lot. TP-LINK and ProFTPD are the two most common servers, vsFTPd coming close behind.
TOP-10 FTP servers (60 % were unknown)
October 2013
29
5.8 SSH Servers

TOP-10 for the SSH servers was not a surprise for the OpenSSH and Dropbear servers. In total there were over 23 000 hits. Also the ofcial SSH Secure Shell and Tectia SSH Servers were found, but did not t into the TOP-list.
TOP-10 SSH servers
5.9 Telnet servers

The Telnet data contained over 17 000 hits. The surprise in the TOP-10 list is the amount of SIP/VoIP related devices and home routers. The UAV prompt may be from many devices, for example Cisco.
TOP-10 Telnet servers (32 % were unknown)
October 2013
30
5.10 SMTP Servers

The TOP-10 list for SMTP contained over 79 000 hits with majority unknown. Postx, Microsoft, Sendmail and Exim were expectedly on top of the list. There was also a fair amount of security SMTP gateways.
TOP-10 SMTP servers (84 % were unknown)
5.11 DNS Servers

There was not many different DNS servers present, amounting for over 11 000 hits. BIND is the most common DNS server. Over 20 % refused to reveal versions and dnsmasq came as third DNS server.
DNS servers
October 2013
31
5.12 IMAP Servers

The amount of IMAP servers was over 8 500 hits. The Unknown contains the IMAP servers which did not contain much identifying information. Dovecot, UW Imap and Courier are the most common ones identied.
TOP-10 IMAP servers
5.13 SNMP Servers

This category contains identied SNMP servers which responded to the public SNMP community string. There were over 17 000 hits. The Random category contains addresses, names and obscure serial numbers. Most common appear to be home/SOHO router devices. In the data also SCADA related devices were identied.
TOP-10 SNMP servers
October 2013
32
5.14 MS SQL Servers

The version strings in the data was transformed to actual MS SQL server versions and service packs. There were about 1 000 hits in this category. The most common was MS SQL Server 2005 SP4, which is EOL. However, some 2005 versions are under extended support, according to Microsoft pages.
TOP-10 MS SQL servers
5.15 MySQL Servers

There were over 1 200 hits for different MySQL servers which returned the version string 590 hosts were removed from the results that informed that the host is unauthorized to connect to the server. Some relatively old versions were encountered.
MySQL servers
October 2013
33
6 Vulnerability Analysis
If we look back one year and beyond regarding the generic vulnerability landscape for some service versions present in TOP-lists, the vulnerabilities were mostly in the denial of service (DoS) category. This was not an extensive mapping exercise, where vulnerabilities was analyzed thoroughly, but gave a general idea of the state of patching. The Nixu Watson vulnerability management service processed the extracted service banners for some of the selected TCP ports we wanted to look at (FTP, SSH, SMTP, DNS, DB, WWW). There were 326 High-, 577 Mediumand 82 Low-level unique vulnerabilities having a Common Vulnerabilities and Exposures (CVE) identier.
Total amount of CVEs
33.10 %
8.32 %
High (326) Medium (577)
58.58 %
Low (82)
With many distributions backporting patches and vulnerabilities being also dependent on hardware architecture, the ndings may be false. For operating systems and certain services there was no easy way to determine current patch levels, except for possible End-of-Life state of the product.
CVE distribution between protocols

350 296
300
250
High
200
Medium
150 101 55 8 16 17 1 7 13 13 23 2 Database (84) WWW (209) WWW-add (258) 20 31 94 135 140
Low
100
50 3 5 5 0
FTP (51)
SSH (56)
DNS (3)
SMTP (32)
The above chart shows the distribution of CVEs between different protocols. In parentheses is the number of different software versions in the category. The WWW-add category includes technologies like OpenSSL, PHP, mod_jk and other modules which can be used in a web server.
October 2013
34
The most vulnerable components from pure numeric viewpoint were old Apache and PHP versions. In total there was 693 different software versions present in the banner data. When examining the latest high-level vulnerabilities from each category, the following CVEs were found to be the most serious. No denial of service was included: CVE-2011-4130: ProFTPD use after free remote code execution CVE-2012-0920: Dropbear SSH server use after free remote code execution CVE-2011-1407: Exim DKIM remote code execution CVE-2009-2500: GDI+ could allow remote code execution in MS-SQL CVE-2012-0882: yaSSL buffer overow allow remote code execution in MySQL CVE-2012-2965..CVE-2012-2967: Arbitrary code execution in Resin CVE-2012-1823 and CVE-2012-2311: PHP allows executing arbitrary code The following number of versions per category did not have a high-level vulnerability present. A version in this case means for example Apache 1.3.12 or PHP 5.3.7 and so on: FTP: 20 / 51 SSH: 19 / 56 DNS: 1 / 3 SMTP: 6 / 32 Database: 21 / 84 WWW: 83 / 209 WWW-additional: 89 / 258 Last year there was a high-level conguration mistake discovered in some F5 BigIP product installations. These contained a known SSH private key for the root user, which essentially allowed remote administrative-level access to the product. The exploitability of this vulnerability rely on the SSH service being open to the Internet. No crosschecking was made for the OS, service and open port information.
7 References
Internet Census 2012 project: http://internetcensus2012.bitbucket.org/ Downloadable data: http://internetcensus2012.bitbucket.org/download.html Wikipedia article on Carna botnet: http://en.wikipedia.org/wiki/Carna_Botnet CVE information: http://cve.mitre.org/about/index.html Nixu Watson: http://www.nixu.com/en/solution/nixu-watson
October 2013
35
Nixu Ltd is the largest consulting company for information security in the Nordic countries. Our corporate clients trust Nixu for developing, implementing and assessing their information security related processes and systems as an independent advisor. We ensure our clients information responsibility by taking care of business continuity, ease-of-access to digital services and customer data protection. www.nixu.fi Twitter: @nixutigerteam
Nixu Ltd
P.O. Box 39 (Keilaranta 15), FI-02151 Espoo, Finland Telephone: +358 9 478 1011 Fax: +358 9 478 1030 VAT number: 0721811-7 Internet: www.nixu.fi
Copyright 2013 Nixu Oy/Ltd. All Rights Reserved.

Analysis of The Internet Census Data Nixu October 2013

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Analysis of The Internet Census Data Nixu October 2013

Caricato da

Copyright:

Formati disponibili

Analysis of the Internet Census data

The Finnish Cyber Landscape October 2013