Saturday, August 18, 2007

Even port scanners are boring...

After setting up a virtual private server with the people at rimuhosting.com, I was curious to see what a box like that has to deal with as far as port scanners go.

To find out, I ran tcpdump for 24 hours, without any filtering:

sudo tcpdump -nUi eth0 -w tcpdump.log 


24 hours later, I terminated the tcpdump process and filtered out some of the known traffic, such as my machine at home, and some others, and I only looked for 'SYN' packets.

/usr/sbin/tcpdump -nr tcpdump.log -l '(not host xx.xx.210.33) and \
(not host xx.xs4all.nl) and (tcp[tcpflags] & tcp-syn != 0) and \
(tcp[tcpflags] & tcp-ack = 0)' |egrep -o '([0-9.]+ > [0-9.]+)' > tcpdump.txt


That resulted in a file of only 2159 lines. Those lines were formatted as so:

xx.yy.196.35065 > aa.bb.224.141.80


This gave me the originating IP, with its TCP port number, as well as the destination IP and port number.

First step: extract all the destination ports:

awk '{print $3}' tcpdump.tmp |cut -d. -f5 |sort -n |uniq > ports.txt


With all destination ports safely in a file, I can now summarize:

for i in $(cat ports.txt); \
do \
n=$(egrep "\.$i\$" tcpdump.tmp |wc -l); \
echo "$i=$n" ; \
done |sort -t = -k 2 -rn


Which leads to

80=1731
25=64
2967=62
5900=51
1433=50
22=36
135=29
139=24
1080=22
445=19
443=13
8080=7
3306=4
21=4
10000=4
8395=3
4899=3
6900=2
6348=1
43=1
2968=1
2222=1
113=1


Nothing surprising here; port 80 is where my web server lives and port 25 is my (outgoing!) mail. Port 5900 is VNC, which is know of its many issues. 1433 is an old friend (SQL Server) and is still scanned a lot. From this point on. it quickly becomes less interesting: 135 and 139 are Microsoft Windows Ports, 1080 is Socks (looking for an open proxy?) 445 is more Microsoft; 443 is HTTP over SSL (looking for proxies?), 8080 is more proxy searches, 3306 is MySQL, 21 is FTP (as if :), The rest of the ports doesn't really count.

Let's soon in on 2967 and on 22. Starting with the latter one, it is well known that SSH bruteforce scanning is very popular at the moment. My 36 scans originated from 9 hosts

awk '/\.22$/{print $1}' tcpdump.tmp |sed -r 's/\.[0-9]+$//g' |sort |uniq
x.214.29.173 (Japan)
x.215.190.134 (Taiwan)
x.50.197.234 (USA)
x.108.231.56 (China)
x.130.189.223 (China)
x.143.10.5 (China)
x.78.145.92 (USA)
x.149.219.232 (UK)
x.42.7.23 (Romania)


I have set up IP port filtering to only allow incoming SSH connections from a few trusted IP addresses, so these attempts all died before they even began.

The second batch is for port 2967, which is the only one that I did not know.

awk '/\.2967$/{print $1}' tcpdump.tmp |sed -r 's/\.[0-9]+$//g' |sort |uniq
x.22.79.222 (China)
x.139.58.112 (China)
x.241.178.220 (China)
x.142.132.9 (USA)
x.19.186.202 (USA)
x.19.188.118 (USA)
x.231.2.33 (USA)
x.233.213.29 (USA)
x.243.227.28 (USA)
x.30.98.53 (USA)


THis one is more interesting; while only two of the SSH scans originated from the USA, 7 out of 10 scans for port 2967 come from the USA. Port 2967 is used by Symantec System Center, and DShield has an interesting graph about it too. The remark that especially colleges are targeted is not something that I see from my brief analysis; not one of the originating IP addresses belonged to a school.

All in all, it seems like there isn't really all that much going on in portscanning-land.

Maybe I'll try this again some day on my home box.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.