Friday, September 13, 2013

We scanned the Internet for port 22

Yesterday (Sept. 12) we scanned the entire Internet for port 22 -- the port reserved for "SSH", the protocol used by sysadmins to remotely log into machines.  Unlike our normal scans of port 80 or 443, this generated a lot more "abuse" complaints, so I thought I'd explain the scan.

Firstly, we'll happily add you to our "blacklist", so that we won't scan you ever again (barring accidents on our part). Our current blacklist is hundreds of entries long. However, please consider adding our scanner (71.6.151.167) to your "whitelist". We are well-known cyber-sec researchers, we aren't trying anything nefarious or evil, and we are being as transparent as possible about our scans.

Our scanner was just checking banners. It didn't complete the connection, nor did it try any passwords. Several abuse complaints assumed that we were trying to "login", but we weren't. Yes, hackers are constantly trying to login into SSH servers, so it's a good assumption to make, it's just that in this case, it doesn't apply to us.


Here are the top 20 "unique" banners that we got back:

 1730887 SSH-2.0-OpenSSH_4.3
 1562709 SSH-2.0-OpenSSH_5.3
 1067097 SSH-2.0-dropbear_0.46
  824377 SSH-2.0-dropbear_0.51
  483318 SSH-2.0-dropbear_0.52
  348878 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
  327841 SSH-1.99-Cisco-1.25
  320539 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
  318279 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
  307028 SSH-2.0-ROSSSH
  271614 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
  233842 SSH-2.0-OpenSSH_5.1p1 Debian-5
  225095 SSH-2.0-OpenSSH_5.1
  224991 SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
  213201 SSH-2.0-OpenSSH_4.7
  209023 SSH-2.0-OpenSSH_6.0p1 Debian-4
  195977 SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
  140809 SSH-2.0-dropbear_0.50
  135821 SSH-2.0-OpenSSH
  132351 SSH-2.0-Cisco-1.25

In other words, the top result of 1,730,887 systems on the Internet show an SSH banner of "SSH-2.0-OpenSSH_4.3". (Note: this is actually only 60% of the Internet, I've got corruption in the files for 40% of the results that I need to fix).

Note that these counts are a bit off. Some networks have a router that forwards all connections of a certain port to a single machine. Maybe "OpenSSH_4.3" is most popular banner, or maybe the national ISP of Elbonia just reroutes all port 22 requests. It takes a lot of manual investigation of the results to figure stuff out. I'm just showing raw results above so that people get a sense of why we are scanning.

We'll be scanning SSH again in October. This time, we'll complete more of the SSH connection in order to grab the public keys, in an effort to see how many people use "weak" keys or "duplicate" keys. Again, this isn't an attempt to hack the systems, but to do research and produce results like those above. We won't be trying to log in.

The source code we used for the scan is at https://github.com/robertdavidgraham/masscan/releases/tag/v1. As you can see from the source code, there's no ability to complete the SSH connection and login. It compiles and runs on Mac/Win/Linux, so it'd be a useful tool to run within your own private network.

A common question in the abuse complaints was of the form "Why did you target my network?". The answer is that we targeted everyone, the range 0.0.0.0/0. We throttle the scanner to only about 100,000 packets/second, and it takes about 10 hours to complete. We actually only hit 3.5 billion addresses, the remaining 800,000,000 addresses in the 32-bit address space are blacklisted.

Right now, we regularly scan port 80 and 443. Curiously, we don't get abuse complaints for those ports like we do for port 22. Even automated systems don't bother generating complaints for those ports.

We are going to be extending this to more ports, such as FTP and SMTP. Soon, we should have weekly scans going for about 10 ports. I'm moving slowly forward to resolve abuse complaints, like this one generated for port 22. We plan on publishing the results, such as the anonymous counts above, in a nice weekly report for the public.

Finally, the scanner will actually do 10-million packets/second. We are currently running only at 1% maximum capacity. If you've got a fast network, and can deal with the fact you'll get about 20 abuse complaints, we'd love to try a scan from your network at that speed :). Remember, it randomizes the targets, so it never hits any destination network very hard.

If you have more questions, leave a comment below, or contact me via my twitter handle @ErrataRob.



Update: by the way, we got 58 abuse complaints, mostly automated. We replied to each one. We got 4 replies to our replies asking us exclude their ranges from future scans (which we'll do), and a few replies from universities that they'll add us to their "whitelist", which I presume means that they won't allow us through their firewall, but that'll stop triggers from the drops.

32 comments:

Anonymous said...

Hello, Just a suggestion can you try and do the same for the several existing VPN protocols?
Just curious on the result...

Robert Graham said...

Do you have a list of protocols that you'd be interested in?

Matt said...

Actually you only scanned the IPv4 Internet. You skipped the IPv6. Of course you did not miss much. I am not sure it is feasible to scan the IPv6 Internet, so I read blog hoping to learn how. Oh well.

What specifically are you are trying to learn?

Anonymous said...

I would recommend
Pptp: tcp 1723
L2tp /IKE : UDP port 500

On top of that Kerberos TCP port 88 looks interesting too

Anonymous said...

I don't run my sshd on the default port of 22. My server has been running 24/7 since 2005. Number of login attempts not initiated by me: 0.

It's just "camoflage", not really protection, but at least one doesn't get their authlog filled up with junk all the time.

breck said...

I'm surprise that the top result only has 1.7M.

In fact, these numbers are only a few million out of billions of IPs scanned. Why such a low # of hits?

Do the vast majority of addresses not respond to anything on port 22?

randall said...

> This time, we'll complete more of the SSH connection in order to grab the public keys, in an effort to see how many people use "weak" keys or "duplicate" keys.

I find the latter question (duplicate pubkeys) really interesting. Can imagine uncovering a previously hidden RNG bug by finding just a few dupes in many millions of pubkey hashes, for example.

Anonymous said...

I have 5 servers with port 22 open. I leave them open and routinely report password crackers.

Of the 5 servers, I only got your connection from 1. You may have had your threading turned up a bit too high.

Unknown said...

I'm interested in LDAP/LDAPS on standard (389/635) as well as nonstandard ports. I suppose LDAPS on 635/UDP would be out there as well.

Anonymous said...

So little OpenSSH_6.2 it isn't even in the top 20? I wonder how many update systems there are.

Robert Graham said...

Breck: Correct, the vast majority of systems do not respond to port 22. The most common port open on the Internet is port 80 (HTTP), and everything else is far lower than that.

Robert Graham said...

To the anonymous person who got only 1 in 5 of our probes, I'd like to know more about it. Could you post more details are send me email at robert_david_graham@yahoo.com?

Anonymous said...

how do i run the scan grabbing the banner :

Anonymous said...

how do i run the scan grabbing the banner?

Anonymous said...

https://factorable.net/paper.html

Anonymous said...

What ISP isn't booting you for doing this? I'd really like to know!

Anonymous said...

Curious how this compares to running zmap.

I have been working on a distributed scanner and am using nmap across 100 or so systems and was looking into porting zmap. I was wondering what you used for infrastructure for the scans, system, bandwidth etc. Was it a single machine or distributed?

Robert Graham said...

To the anonymous comment of above this one: I don't know how my scanner compares to running ZMap, except that my scanner is 10x faster (13 million packets per second from a single machine).

I'm using a single machine at 1% of capacity, because I have 100-mbps link, not a 10-gbps.

Distributing my scanner works really well. It supports a "--shard" option so that you can split a single scan across 100 servers -- for your array of Raspberry Pis for example. Just supply each one a different shard index.

Anonymous said...

As he gave a source IP you should be able to figure that out.

675935 said...

Scan noted in logs at 20130913T002109Z. A single connect seen on edge router, sshd reports "Did not receive identification string…", this then triggers 10-minute fail2ban ssh-ddos filter. I'm not reporting to it or using, but www.blocklist.de reflects activity (very low count).

My target system is Ubuntu 13.04 with "DebianBanner no" in sshd_config, so «SSH-2.0-OpenSSH_6.1p1» appears to be less popular than those you note.

675935 said...

Forgot to add…

Might be best to call this the "SSH identification string" rather than "banner", as the banner is separately conveyed.

indrora said...

Ping back from tumblog.

It'd be interesting, when looking at the keys, to see which ones change. Cisco IOS has a hard time handling some of its key security, and it would be interesting to see who doesn't have certain things set in their cisco configuration to save it

Anonymous said...

For anyone running a Linux server, here's how you opt-out:

sudo iptables -A INPUT -s 71.6.151.167 -j DROP

OR

sudo ip route add blackhole 71.6.151.167

Sagar Khattak said...
This comment has been removed by a blog administrator.
Juan José Pavliksa said...

hi Robert! Really interesting project, i'll definitly follow your next posts.
We logged about 25 connections from the IP you mentioned, we shouldn't have logged that much, now i see we have many exposed servers out there.

Great article!

Hiawatha said...

We are well-known cyber-sec researchers, we aren't trying anything nefarious or evil, and we are being as transparent as possible about our scans.

Sure, and I'm Santa Claus. Thanks for the IP address. I'll add it to our 'whitelist'...

planetmike said...

Please change your user-agent to something useful. Your scan of my apache server reported a user-agent of "test". It's lot less cracker-y looking if you put in a useful user-agent, maybe something like "Errata Security Scan http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html"

Q said...

Hello Robert,

I'm interested in the number and distribution of database services connected to the internet.

Rule 1 is never to directly expose your database interface to the internet.

I tried to scan for this, but my ISP almost cut me off. So MSSQL, MySQL, PostgreSQL, Oracle. Including their banner/version

Open Memcached connections are interesting as well. LDAP is already mentioned.

Chris said...

To all idiotic comments, about opting-out, blocking the IP. The real questions are:

Why on Earth do you have an SSH service open to the internet?

Why don't you implement a two-factor authentication scheme on it if you really need it open, or ssh keys as an alternative?

How many people are actually scanning your port without you knowing it and are actually trying to brute-force the access? (care to read the aforementioned point if you are concern about this)

Mikkel Kroman said...

Hi,

would it be possible to obtain a copy of your updated blacklist? This would help me greatly in reducing the amount of abuse letters I get when doing some scanning of my own.

Thanks.

claudijd said...

Robert,

Any chance this dataset could be made available?

I'm specifically interested in OpenSSH banners for some research that I'm doing.

Thanks,

-Jonathan

Iphobos2013 said...

its just scan for open ports ?
or it bruteforce also and give you success user and pass?
thank you