Showing results for 
Search instead for 
Did you mean: 
Create Post

What Port Is the Most Targeted in Your Network?

Level 12

Security is an aspect that every organization should give the utmost priority. Ideally, every employee, from the end-user to top-level management are educated when it comes to the impact of network security failure. That said, organizations spend significant capex on securing the network. Despite all the investment on intrusion detection devices, firewalls and access control rules, hackers and their threats continue to succeed—data is stolen, critical services are brought down, and malware manages to sneak into secured networks.

Akamai released their fourth quarter “State of the Internet” report last month which provides valuable insights into, well…obviously, the state of Internet! The security section of the report discusses the top originating country for attack traffic (no points for guessing), the most targeted port, and information about DDoS attacks.

As per the report, the most targeted port for attacks is the good old Telnet port. In fact, Port 23 remains the most targeted port for the 3rd consecutive quarter and attacks against port 23 have increased to 32% from 12% in Q3 2014! This despite the fact that most enterprises I know have shifted to SSH from Telnet to enhance security. The cause of attacks can mostly be attributed to bots trying their luck on finding devices with port 23 open and then using the default username and password. That or a brute-force attack to gain access into the target network.

most attacks.png

Source: Akamai State of the Internet report

While the data in the report reminds the network admin not to leave unused ports open, it also shows that HTTP and HTTPS, both of which are open in most enterprise networks, too are targeted for attack. And then, port 23 or none of the top 10 ports listed might be the ones used to target your network. It can be a different random port which you might have left open inadvertently or had to leave open to facilitate a business service. Of course, it is not possible to block all ingress traffic originating from the WAN to your network.

Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) enhance your network’s security and are a necessity. But they may not successfully protect your network every timeto name a few, everyone remembers what happened to Sony, Home Depot, and Target! These organizations definitely had security measures in place to protect against malware and other threatsbut despite their efforts, the breaches still occurred. This shows that malware and other network threats are getting smarter every day and the traditional methods of security using firewalls and IDS/IPS alone are not sufficient. The work around?

A New Security Layer:

In addition to firewalls and intrusion detection systems, add a 3rd layer of security that can detect threats and attacks that have breached your defense. A layer that looks at the behavior of network traffic to detect anomalies, such as malware, hacking, data theft, and DDoS attacks.

With Network Behavior Anomaly Detection or NBAD, it is possible to detect anomalies that get past the firewall and IDS/IPS systems. NBAD tracks traffic behavior and alerts you if there is unusual or out of the ordinary activity. For example, traffic originating from invalid IP addresses, traffic on one port from one system to many, TCP or UDP packets whose size is less than the least expected value, etc., are all network behavior anomalies. NBAD is further enhanced, when individual systems in the network are monitored for behavior anomalies.

Enterprises can get started with NBAD on their own using traffic flow data, network performance data, and log analysis.

Flow technologies, such as NetFlow, sFlow, J-Flow, or IPFIX carries information about the IP conversations with details like source and destination IP addresses, ports, protocol, volume, number of packets, etc. The data can then be used to track behavior anomalies, such as burst of packets, traffic from invalid IP addresses, malformed packets, etc.

Network performance data can also help discover network anomalies. If there were sudden voice call drops, it could be due to fully utilized links which in turn could possibly be a DDoS attack.

While flow based analysis of traffic is the most widely used method for NBAD, log analysis from various elements in the network including user systems can add value to network behavior analysis. With a log analysis tool that analyzes logs and extrapolates information based on correlation, the admin can pin-point the source of threats within the network and take preventive measures before major damage occurs.

While you are still waiting to find a dedicated NBAD tool that really does what you need, leverage existing technologies and tools for your own network behavior analysis engine. So, what are you starting with? NetFlow or log analysis?

Level 13

Some interesting food for thought. I've typically focused on log analysis in the past. I wouldn't be sure where to start in using NetFlow for threat detection. It seems to me that picking out the valuable part from the sea of information would be the biggest challenge.

Level 15

We experience the highest hits against port 22 and 3389, followed by 80.  The data suggests the country of origin and I would say that those pretty well match what we have.  We implemented a SIEM solution that is fed syslog, event logs, and net flow data.  It provides some real-time analysis of the items mentioned in the article.  We have been successful at using it to trace down bots and malware.  Also, we have implemented IP reputation scanning on the firewall as an extra measure.  We have seen a dramatic drop in return bot traffic due to it blocking both inbound and outbound based upon blacklists.

As OHSA tells us, you can never have enough safety equipment or in our case layers of protection.


Nice topic.  The charts provided some interesting data and a "NBAD" tool was something new although I know of some tools that  take that a bit further with regards to general traffic and event log monitoring looking for anomolies as it determines cause and effect type of relationships.  But to have that at just the network level makes sense..

I am not sure what we have for that sort of analysis here as that falls under a different department.

Level 12

Yes, the information contained in NetFlow data is enormous - a tool would be the best way to go about it. But even then, whatever is reported by default and a good usage of custom report creators should be able to aid with security analysis. Many of the current set of tools are still in its nascent stage or are quite expensive.

Level 12

Lucky you - You only have to fight the bots that reach your network through BYOD.

Level 12

The metamorphosis oif NetFlow has been interesting - started off as a packet switching technology, becomes a accounting technology, and is now transforming into a security technology. The last part can happen faster when good tools become available for NetFlow based NBA and enterprises begin to experiment and then adopt.

Maybe I should write a NetFlow adaptation of "The Metamorphosis".

Level 11

‌This data shows the obvious, there is a lot you can do to prevent attacks by shutting down unsecured and unused ports.

Level 14

Netflow is great and NTA is a good tool to get a quick look at what is going on.  And it does not surprise me that telnet is the most targeted port.  SSH should be used wherever possible in all environments today.  I don't know why anyone would be using telnet anymore and this report shows why.

Level 13

Agreed. I would suspect that scans for telnet occur not because telnet is common, but because scanning is inexpensive resource-wise. If an attacker does find an open, Internet-facing telnet port, it's likely that the owner of that port likely has other major security vulnerabilities as well, making them a very easy target. Modern hacking is a business, and like any business, the hackers want to maximize their return on investment. Easy targets are the best targets.

Level 17

Log Analysis is big, but just as important for me is the alerting process. Honing the syslog and trap alerts to trigger where i need for information purposes and issue remediation without overflowing the inbox is a big deal, alerts with meaning will eventually get a threshold - at the very least some of those are informational for learning and get adjusted or turned off once the pattern is recognized. I can't speak for the Border Edge so much, info Sec gets those logs.. we see some internal user malware usually starting from their personal device. Info sec catches that traffic going out to the Bad Lands and usually asks for help finding the user/device in house - or confirming the device to black hole.

I am looking to leverage a couple of tools to parse the traps a little easier.

Physical security is also always key, Even if your open ports aren't turned down - at least dead net them.

Level 12

I would say the interest in telnet is not because everyone uses it but because many admins just forget to disable it or change the default credentials associated with it.

Level 12

But we are still left with ports like 80 and 8080 that has to be open as a business requirement. That still leaves us vulnerable. In addition to closing unused ports, restricting access, DMZ zones, and all other traditional methods, adoption of traffic analysis to detect anomalies should increase.

Level 12

Ah yes - alerting and reporting should be the most analyzed feature when choosing a monitoring tool. Whatever be the size of one's NOC team, without proper alerting the information in the tool would be left useless.

Level 13

+1 for this.

Closing unused ports is essential basic security, and as I mentioned earlier, the reason I think we see so many Telnet scans is that the attackers are looking for potential victims who haven't even bothered with the essential basic security; they're easy targets.

Still, after that is done, there are still the ports that are open inbound for essential business needs. There are still the inside computers that could generate malicious traffic outbound either due to infection of a portable device or a rogue actor within the premise. There are still potential configuration errors that could be exploited.

Closing unused ports reduces the size of the target, but the remaining target still needs to be guarded and monitored.

Level 12

Network is where I guess the signs of a breach first appear. There is no perfect hack - there are always signs. We just need to find it.

Level 12

Ah yes - portable devices. When all the security at the front door are looking for intruders, the employee walks in with the malware. Hey BYOD, you left that backdoor open!

Level 13

I was thinking not only BYOD, but also corporate-owned laptops and such.

Level 12

Agreed. Users use those systems.

Level 17

Indeed - I also prefer the automation that the nms brings to the table.. we all eventually got tired of Jeff watching the screen and just yelling at the top of his lungs when something went red.

I'll never look at going back to that archaic way of alerting, it became a problem when everyone started wearing ear plugs and stopped getting Jeff's alerts.

Level 13

Yelling at the top of one's lungs doesn't work for technicians at remote sites either. You can call and then yell, but then they don't answer their phones... 😉

Level 12

Heads around me are alarmed because I am staring at me screen and laughing incessantly. How I wish I could give out additional points for humor. 

Level 12

Smoke could do the trick. Smoke signals not alarms.