The Value of Near-Real-Time Visibility into Scanner Activity

A Look at Scanners by Country and Duration

Most people who have ever looked at a firewall log will have noticed scanning activity. Any system connected with an external facing IP address will at some stage receive probes for open ports. Depending on the port type, a bruteforce attempt might happen to get system access, or a vulnerability in the associated service exploited. Knowing if an IP address is involved in scanning can help with blocking said traffic and aid in investigations by filtering out or highlighting IPs involved in scanning. This will ultimately help with prioritizing security events.

 

Team Cymru identifies scanning IPs by monitoring darknet IP space that receive scanning traffic and by analyzing network traffic patterns. From operating years of darknet IP address space, we know that certain ports are very popular like Telnet (port 23), SSH (port 22), RDP (port 3389) and SMB (port 445).  Besides these well known typical service ports, we also see scans for more obscure ports associated with Web cameras and router vulnerabilities.

 

Recent analysis of scanning patterns showed that countries can display different flavours of scanning traffic. On the 27 April 2021 we analyzed 24 hours of IP addresses scanning on Samba/Netbios associated ports (137, 138, 139, 445), Telnet (23) and SSH (22). We observed that India, Vietnam, Indonesia, Thailand and Russia had the most activity on Samba/Netbios file sharing associated ports. The first three countries in that list, were also very active on SSH.

 

What stood out in the top 25 countries, were China, Iran and Mexico, who were most active on Telnet ports. Telnet is often associated with IoT devices and the last couple of years several worms were observed scanning and propagating by exploiting services running on port 23. Figure 1 shows the distribution of categories by country.

 

 

scanners by country
FIGURE 1: Scanners by Country

 

Analysis of the longevity of scanning IPs showed that the majority of IPs were observed for only a couple of hours in a 4-day period before disappearing (Figure 2). A select group of IPs were observed continuously over a 4-day period. On average, we saw the same amount of IPs per hour disappear and new scanning IP addresses emerge. Dynamic assigned IP addresses is likely part of this pattern.

 

Scanners by Duration
FIGURE 2: Scanners by Duration

 

 

The relative short life span of scanning IP addresses shows that a frequently updated list of active scanning IPs is very useful when applied to analysis.  It will empower security analysts by prioritizing on traffic observed, removing those IPs known to be opportunistic scanners and focussing on the traffic that really matters. Team Cymru’s insight on scanning IP addresses is near real-time, only delayed to allow for temporal analysis to recognize scanning patterns.