Internet-wide scanning is a commonly used research technique that has helped uncover real-world attacks, find cryptographic weaknesses, and understand both operator and miscreant behavior. Studies that employ scanning have largely assumed that services are hosted on their IANA-assigned ports, overlooking the study of services on unusual ports. In this work, we investigate where Internet services are deployed in practice and evaluate the security posture of services on unexpected ports. We show protocol deployment is more diffuse than previously believed and that protocols run on many additional ports beyond their primary IANA-assigned port. For example, only 3% of HTTP and 6% of TLS services run on ports 80 and 443, respectively. Services on non-standard ports are more likely to be insecure, which results in studies dramatically underestimating the security posture of Internet hosts. Building on our observations, we introduce LZR ("Laser"), a system that identifies 99% of identifiable unexpected services in five handshakes and dramatically reduces the time needed to perform application-layer scans on ports with few responsive expected services (e.g., 5500% speedup on 27017/MongoDB). We conclude with recommendations for future studies.
翻译:互联网扫描是一种常用的研究技术,有助于发现真实世界的攻击,发现加密弱点,并了解操作者和不良行为。使用扫描的研究基本上假定服务设在其IANA指定的港口,忽视了对非正常港口服务的研究。在这项工作中,我们调查互联网服务的实际部署地点,评价意外港口服务的安全态势。我们显示协议部署比以前认为的要分散得多,协议在其主要IANA指定的港口以外的许多港口运行。例如,HTTP只有3%,TLS服务只有6%分别在80和443港口运行。非标准港口的服务更有可能不安全,这导致对互联网主机的安全态势的研究大大低估。我们在观察的基础上,引入LZR(“Laser”),该系统在五个手握中查明了99%的可识别意外服务,大大缩短了在港口进行应用层扫描所需的时间,而预期服务很少(例如,27017/MongDB)我们得出了未来研究的建议(如27017/MDB)。