AT Usenix 2014, Alex Halderman, Zakir Durumeric and Michael Bailey, from the University of Michigan, presented an interesting study of the new landscape of wide scale Internet scanning. Scanning the Internet for finding vulnerable targets is an old practice that is used by both academics, security research companies and black hats. Nevertheless, the practice has changed during this last decade.
First of all, new tools have appeared: ZMap and masscan. Provided they have access to a huge bandwidth, they can explore the full IPv4 address space in a few minutes from one point. There is no more the need to use a botnet with tools such as nmap. This team knows well ZMap as it is an open source project developed by the University of Michigan and at least two authors of this paper.
The type of ports that are scanned has also evolved during the past decade. The big winner is port 445 for SMB-IP. Interestingly, HTTP, HTTPS and SSH are mainly scanned by academic driven studies.
2004 2010 2014 HTTP (80) SMB-IP (445) SMB-IP (445) NetBIOS (135) NetBIOS (139) ICMP Ping NetBIOS (139) eMule (4662) SSH (20) DameWare (6129) HTTP (80) HTTP (80) MyDoom (3127) NetBIOS (135) RDP (3389)
Table describing Temporal differences in targeted protocols
They studied also three use cases. I had a lot of interest in the use case related to Linksys router backdoor. After the public disclosure, 22 hosts completed 43 scans targeting port 32764 (the backdoor) of the IPv4 address space. The first one was Shodan in less than 48 hours. Within one week, other ones tarted with two academic, 3 security firms but the reminder were unidentified hosts!
For the HeartBleed, same story
In the week following the disclosure, we detected 53 scans from 27 hosts targeting HTTPS. In comparison,
in the week prior to the disclosure, there were 29 scans from 16 hosts.
The lessons is that this environment is extremely dynamic. New point of interests appear regularly and shift with time. New tools appear. Thus, be proactive to stay secure.