Trial by Internet

Erik Dul -

Intro

As part of developing one of our internal tools, we needed to have the latest data on what happens to the average server on the Internet. On a high level, we wanted to know the most commonly targeted services "in the wild", and the geographical distribution of the sources of these attempts.

We've set up a server and monitored network activities on it for a week. This post is a summary of our findings.

Results

  • The server was set up with an external IPv4 address from AWS' IP pool for the ap-southeast-2 region
  • Data was collected for every TCP connection attempts for 168 hours between 13/09/2020 and 20/09/2020. These included compromise attempts as well as simple port scans
  • Overall, the server registered 58339 attempts. These came from 10103 different IP addresses
  • We've managed to attribute ~20% of all attempts to Internet-wide security research projects and scanning engines like Shodan or Censys
  • The events showed a fairly even distribution in time, without any significant burst

Targeted services

The 20 most targeted services were the following:

We see the usual suspects here (with some exceptions), mainly bots targeting remote management and other potentially high-value services.

The complete list of targeted services (with at least 10 connection attempts):

Geographical distribution

The complete geographical distribution of the attempts was the following:

html, body, #container { width: 100%; height: 100%; margin: 0; padding: 0; background-color: black; }

According to IP geolocation, the following 20 countries originated the most attempts: