Millions of 'must be firewalled' services are open to the entire internet – research

15m telnet nodes, 4.5m printers, TCP port 445...

Chinese fence

Millions of services that ought to be restricted are exposed on the open internet, creating a huge risk of hacker attack against databases and more.

Infosec firm Rapid7’s researchers took a close look at the millions and millions of individual services that live on the public IP network, one of the most fundamental components of the internet.

Researchers attempted to ascertain to which extent various internet protocols are in use, where they are located, and how much of this is inherently insecure due to running over non-encrypted, cleartext channels.

Millions of systems on the internet offer services that should not be exposed to the public network. The survey uncovered 15 million nodes appearing to offer telnet (usually unencrypted), 11.2 million appearing to offer direct access to relational databases, and 4.5 million apparent printer services.

Around 4.7 million systems expose one of the most commonly attacked ports used by Microsoft systems, 445/TCP. Oddly 75 per cent of the servers offering SMB/CIFS services – a (usually) Microsoft service for file sharing and remote administration for Windows machines – originated in just six countries: the United States, China, Hong Kong, Belgium, Australia and Poland.

The most exposed nations on the internet included countries with the largest GDPs, such as the United States, China, France, and Russia.

The research – summarised here – was put together by Bob Rudis, Jon Hart and Tod Beardsley. Beardsley explained that the research gave the team a fresh perspective on the services deployed on the public side of firewalls the world over.

Although, to the man on the street, the internet is imagined to run over the one or two protocols that the World Wide Web runs on – HTTP and HTTPS – there are loads of other services. Rapid7’s researchers say their study shows how much telnet, SSH, FTP, SMTP, or any of the other protocols that run on TCP/IP is actually in use, where are they all located, and how much of it is inherently insecure due to running over non-encrypted, cleartext channels for the first time.

He explained this was different from, but complementary to, other research efforts.

“While projects like CAIDA and Shodan perform ongoing telemetry that covers important aspects of the internet, we here at Rapid7 are unaware of any ongoing effort to gauge the general deployment of services on public networks. So, we built our own, using Project Sonar,” Beardsley said. ®

Biting the hand that feeds IT © 1998–2017