Internet-wide scanning is a commonly used research technique that has helped uncover real-world attacks, find cryptographic weaknesses, and understand both operator and miscreant behavior. Studies that employ scanning have largely assumed that services are hosted on their IANA-assigned ports, overlooking the study of services on unusual ports. In this work, we investigate where Internet services are deployed in practice and evaluate the security posture of services on unexpected ports. We show protocol deployment is more diffuse than previously believed and that protocols run on many additional ports beyond their primary IANA-assigned port. For example, only 3% of HTTP and 6% of TLS services run on ports 80 and 443, respectively. Services on non-standard ports are more likely to be insecure, which results in studies dramatically underestimating the security posture of Internet hosts. Building on our observations, we introduce LZR (Laser), a system that identifies 99% of identifiable unexpected services in five handshakes and dramatically reduces the time needed to perform application-layer scans on ports with few responsive expected services (e.g., 5500% speedup on 27017/MongoDB). We conclude with recommendations for future studies.
LZR: Identifying Unexpected Internet Services
USENIX Security Symposium 2021
- Liz Izhikevich, Renata Teixeria, Zakir Durumeric
- Liz Izhikevich
We provide the results of a single LZR scan across a random 0.1% sub-sample of IPv4 across all 65,535 ports in August 2020. The results are split across three files. To filter for real services, only include responses which send back data and do not RST (i.e., data is not null and RST = False). The exact scanning parameters used were: ./lzr -t 3 -handshakes tls,http.