A Look at the Most Attacked Ports
A recent report on cyber attacks against Australian targets released by networking provider F5 contains an interesting ranking of the ports that most attacks are directed against. While many of our readers will be familiar with the services in question and won’t be surprised by the ranking, in this briefing we will take a look at just why the most common of these ports are targeted.
Secure Shell - SSH (22)
SSH is targeted for both its ubiquity on Unix machines and the fact that a successful breakin results in immediate command execution privileges. Despite best efforts, weak SSH passwords like “password123” are still disturbingly common. Such systems are usually compromised within hours of going online. There have also been a small but critical number of vulnerabilities in OpenSSH, the most common SSH server along with OS specific vulnerabilities. Tools for the exploitation of these vulnerabilities as well as for the brute forcing of SSH passwords are readily available, making such attacks easy and relatively effective against unix servers and embedded systems.
Server Message Block - SMB (445)
Microsoft Windows’ file sharing protocol SMB has had a relatively large number of security vulnerabilities and was thus the target of countless worms since the 1990s. In more recent years, the NSA leaks of 2017 resulted in a working exploit used by the agency being released into the wild. These attacks usually target end-user computers and windows servers directly connected to the internet.
Hypertext Transfer Protocol - HTTP (80)
Web application security flaws are exceedingly common and responsible for a large percentage of all cyber security breaches. In the majority of the registered attacks, attackers are merely aiming to identify either server software or web application software with known weaknesses.
Alternative Hypertext Transfer Protocol - HTTP (8088)
8088, along with 8000 and 8080 are ports commonly used for secondary HTTP servers. The reasons for attacks against them are identical to the regular HTTP port.
Session Initiation Protocol - SIP (5060)
SIP is used by many modern messaging, voice calling and video calling solutions. Since the protocol is very complex, many vulnerabilities in it have been found. Configuration mistakes when setting up SIP services that can be exploited by attackers are also common. Attacks can be aimed against end-users or server infrastructure.
MSSQL (1433) & MySQL (3306)
MSSQL (Microsoft) and MySQL (Oracle) are two of the most common SQL databases. Due to shoddy configuration and lackluster firewall settings, many database servers are directly connected to the internet. This is dangerous not only because vulnerabilities in both are relatively common, but also because the use of weak passwords for development purposes is widespread. As the name implies, databases hold a target’s data and are thus exceedingly valuable targets for attackers.
Telnet is the spiritual predecessor to SSH. It is completely unencrypted and insecure by modern standards. Unfortunately, many old embedded systems and industrial control systems still rely on it. The recent boom in IoT devices developed by teams with little to no security knowledge has led to an outright revival of this protocol which my all means should have died 20 years ago. Attackers target telnet for the same reasons they target SSH: A successful attack leads to immediate command execution privileges in most cases.
Only by understanding why attackers target certain ports and services can we correctly prioritize risk and create policies, rules and strategies to manage it. Strikingly, in all of the above cases, frequent and timely updates combined with well-enforced secure password policies are enough to prevent the vast majority of attacks from succeeding.
As we have said in the past, information security is a game of fundamentals. By doing the basics well, you can prevent 99% of attacks.