In part one I analysed the data communication that takes place on a phone over a one hour period. Read the post here for details and background info.
Here, I go further and analyse what happens over a twelve hour period of normal phone usage. I ran BRO on my phone from
6:40pm and ensured that data was on and WIFI off the whole time.
Let me start with figures of some standout statistics.
The phone communicated with
233unique IPs from diverse parts of the globe over that period.
I broke this down further to specific ports of interest. Note that my IP was
220.127.116.11 during that period.
Port 21 : FTP
1 2 3 4 5
Why my phone wanted to connect to
18.104.22.168 on FTP raises some interesting questions.
Port 22 : SSH
1 2 3 4 5 6 7 8 9
Port 23 : Telnet
1 2 3 4 5 6 7
That translates to an average of two telnet connection attempts per hour from unique IPs!
Summary of some other ports of interest
1 2 3 4 5 6 7 8 9 10 11 12 13 14
These results immediately direct our attention to internet wide scanning. This has slowly become a growing phenomenon over the past two years and has been aided by the release of extremely fast scanning tools. We have zmap created and maintained by a team from the University of Michigan which can scan the entire IPv4 space in under 5 minutes with a ten gigabit ethernet connection. Masscan, created by Robert Graham of Errata Security is fast enough to do the same in under 3 minutes! Internet wide scanning is being used a lot by researchers to investigate vulnerabilities and do various internet wide studies. A case in point is that several internet wide scans were done targeting the heartbleed vulnerability within 48 hours of disclosure. A more recent case is this week’s synful attack scan done by the zmap team on September 15, 2015. Shodan does regular internet wide scans and hosts the data on their site which is made available to the public in an interactive way. The University of Michigan team (same one that maintains zmap) also does daily scans and hosts the raw data on the scans.io site. They also host scans done by other researchers such as the Rapid7 team which does various scans regularly. The flip side of this is that a lot more people do these scans with malicious intent. They’re always on the lookout for vulnerable systems on the internet and their activity spikes every time a major vulnerable is released. They mostly hide behind bulletproof hosting providers or run their scans from countries likely to be lenient, with China featuring prominently. Let me now relate the activity on my phone with internet wide scanning.
Some known research scans I observed during that 12 hour period
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
And of course several scans from unknown actors
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
It is evident that every day, anything you put on the internet will be poked at unless you are behind some NAT network and/or have some form of firewall filtering traffic. The takeaway is that you really should keep your internet facing systems updated and with as good a security posture as possible. Watch out for newly released vulnerabilities and patch them as fast as possible. Past cases indicate that 48 hours later may already be too late. Implement defences on the edge of your network and monitor your logs regularly and diligently. Try out the awesome BRO IDS (I am not being paid to promote it incase you’re wondering). Some of these scanners are extremely aggressive. To demonstrate just how aggressive, I leave you with this Netherlands IP that was scanning port numbers that have the digits 443.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21