‘The Low Hanging Fruit’
“What ports are trying to contact me from the outside world, where I didn't instigate contact?”
For the uninitiated, ports are synonymous with letterboxes. Your computer has precisely 65,536 letterboxes, so operates something like an Australia Post – only doesn’t require you to be home to sign, and when you're inevitably not home, send you to some obscure store to collect your package, and only between 9 -5, and only on weekdays #NotBitter
Your ‘home' address is similar to your IP Address – you only live in 1 at any given point in time, and it is unique. Fortunately, privacy laws dictate you cannot translate a person's IP address to their home address, without a court order.
People put things in your letterbox you don't necessarily want, and do not care whether you read it. The main difference between a port and a letterbox, is if you (your computer) do not ‘respond’ to the package, it disappears.
Now consider: You have 3 letterboxes at your house – 1 for work, 1 for family, and 1 for advertisements.
A parcel arrives in each letterbox and you collect them all. Thing is, you just moved overseas, your family doesn't know where you live and you don't have a job L
So, who sent packages to the work and family mailbox? And why? And how did they get your address? Were they targeting you? Or is this random, spam, which should have all gone in the junk mail? Maybe you'll just throw it away and consider it a one-off… But what if it happens again? What if all 3 of your mailboxes were constantly busy with arriving mail? At some point, you'd want to know who was sending it, if for no other reason than to put a stop to it.
There are other scenarios too – and I’m leaving out some of the technicalities around how ports are chosen – but I think you’re starting to get the idea. Below, is a chart of ports which received messages, where I did not ask for a message to be sent, in the space of 1 hour.
TL;DR – You have 1 IP address, you have 65,536 ports per computer; you send messages via your IP address + a particular port; you’re about to look at a chart showing incoming messages to my ports, where I did not ask for the message.
Dropped external connections by port (over 1 hour)
This chart raises some questions – which will form the basis of the next few chapters of posts for discussion, but before we delve deeper, it’s worth pointing out how I put this chart together. The key is to think ‘what should not happen?’ In this case, someone sending mail I didn't ask for. The principle behind the search is ‘low hanging fruit’ – easily obtained access to ‘common’ ports.
You can read about some of the ‘riskier’ ports here:
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html#1.1
Or about all ports with ‘well-known’ mappings here:
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
I did not ‘know’ what kind of results I’d see in the above chart (which is a large part of the reason I'm publishing in instalments)
1. Port 23 is Telnet… Why am I seeing anything here?
2. Ports 1083 – 1090 are receiving a significant amount of traffic – could the traffic be legitimate? Is some form of malware attempting to retrieve data from one of my machines?
3. Why is this happening?
Answer 1
For the uninitiated, Telnet is one of the oldest tools for communicating over the internet (developed in the late 1960’s). Telnet communication represents a threat, since modems and routers used to (read: older ones) run telnet servers. Un-Configured Telnet servers use default credentials.
TL;DR – Telnet represents a similar issue to modems with default passwords.
Therefore, seeing people attempt to connect with me on this port is a good sign something bad is happening.
Luckily, as we’re looking at a chart of blocked traffic, rest assured no one has ‘hacked’ my house using what is possibly the oldest trick in the book. Expanding on the original chart, focusing on just port 23. I considered the ‘who’.
1 Month – Port 23 attempts
That traffic equate to around 2 hits per hour. Every. Single. Day. This chart shows many of the same threat actors as Akamai’s March 2015 ‘State of the Internet’ report
So the question of ‘who’ becomes evident at a country-level at least. Unfortunately, I have no sure-fire, guaranteed way of translating the original sender of the request back to a particular home address (which, as mentioned earlier, is due to privacy laws).
SUMMARY
We looked through a log of all traffic coming into my network from the internet, where I did not initiate the request. I showed there was a correlation between this traffic, and malicious attacks. These (potentially malicious) requests were originating from hundreds of different IP Addresses.
The key takeaways:
· Whilst I am not Akamai, the self-proclaimed “leading cloud computing services and content delivery network (CDN)”, I am seeing one attack strategy from many of the same geographic regions
· Without understanding how your firewall operates, this traffic (blocked or not) goes undetected
· Using old hardware and software, with known vulnerabilities places you in the ‘low hanging fruit’ basket.
In the next chapter, we'll look at question 2 - What runs on ports 1083 – 1090? Should I be concerned about this traffic?
I'll update this page and the homepage with a link to the new chapter once it is complete - Until then, feel free to discuss this chapter, and your thoughts on question 2 in the comments section below (sign-in not required - just tick the 'I'd rather post as guest').