One of the many sets of data I collect with mcflow on my gateway is traffic counters for TCP SYN packets I receive but do not SYN ACK. I keep the source IP address, the destination port, and of course timestamps and counters. This type of data generally represents one of three things: probing for vulnerable services which I don’t run, probing for services I do run but block from offenders, or probing for botnet-controlled devices.
The table below shows the top 10 ports for the current week. In the case of ssh and http, I do run those services but mcblockd automatically blocks those who violate my configured policies. I do not run a telnet server anywhere (my IoT devices are of my own design and use ECDH, 2048-bit RSA keys and AES128). I also do not run MS SQL Server or rdp (Remote Desktop). I have no Windows hosts, and if I did, I certainly wouldn’t expose MS SQL Server or Remote Desktop.
Ports 7547 and 5358 are known to be used by Mirai and its descendants. Port 7547 is also a common port used by broadband ISPs for TR-064 services (specifically, TR-069) to manage home routers.
| Port | Packets | Bytes |
|---|---|---|
| 22 (ssh) | 22116 | 1168688 |
| 23 (telnet) | 3740 | 152784 |
| 80 (http) | 1601 | 99216 |
| 1433 (ms-sql-s) | 1279 | 52288 |
| 81 | 917 | 38016 |
| 7547 | 515 | 20620 |
| 3389 (rdp) | 199 | 8792 |
| 5358 | 195 | 8148 |
| 2323 | 181 | 7384 |
| 8080 | 154 | 6700 |
Below is a table showing the SYNs I didn’t SYN ACK by country. This is just the top 10. Note that the top two have large swaths of their IP address space automatically blocked by mcblockd for violating my configured policies. They’re also known state sponsors of cyberattacks, and the evidence is pretty clear here. Much (but not all) of the US stuff is research scanning.
| Country | Packets | Bytes |
|---|---|---|
| RU (Russian Federation) | 17394 | 864024 |
| CN (China) | 6038 | 319116 |
| US (United States) | 3077 | 169932 |
| NL (Netherlands) | 1160 | 47580 |
| TH (Thailand) | 603 | 33480 |
| UA (Ukraine) | 467 | 20612 |
| KR (Korea) | 462 | 19380 |
| BR (Brazil) | 426 | 18708 |
| FR (France) | 341 | 17828 |
| TR (Turkey) | 281 | 11756 |
What is perhaps interesting about this data: the lines drawn during WWII and the Cold War don’t appear to have changed. I find this very sad. I’m just a tiny single user running a very modest home network, yet I’m a target of Russia and China. And my network is likely much more secure than the average home network. I assume this means that all of us are being probed all of the time, and some of us are probably regularly compromised. I think we (meaning the entire industry) need to consider completely banning telnet and doing something real about securing IoT devices.