Your Fly Is Open

Netmenaces and Other Internet Stupidity

Seeing Everything

2024-10-22 3 min read attacks

As security professionals, we all intuitively know how bad things are on the Internet. We know that attacks constantly bombard every IP address. But is it possible to go beyond that intuitive sense and put some hard numbers to the amount of badness continually knocking on our doors?

A friend proposed a thought experiment a while back: What if we could simultaneously listen on all IP ports and protocols? What would we see? What if we could log EVERY attack against an IP address? Exactly how bad would it be?

Well, I was able to turn that thought experiment into reality.

Imagine a tool that does the impossible—it can simultaneously listen for and complete connections on all 65,536 TCP ports, listen on all 65,536 UDP ports, grab all ICMP packets and other oddball protocols, and log everything. It doesn’t require fancy or powerful hardware - I have it running on a humble RaspberryPi 4, and it uses only 4-5% processor. This tool allows us to capture the first portion of every attack against a system, and its capabilities provide us with unprecedented insight into the ever-evolving world of network attacks.

Building this tool was no small task. The technical insanity required to bring it to life is a story for another day. Let’s talk about what it allows us to see.

First, it’s essential to set the scene. I gathered this data on a standard, unassuming home internet connection. There was nothing special, no open ports, and no services advertised to the outside world. We can consider any inbound connection attempt malicious because there is no reason for any system to connect to this address.

For the week of October 6th through October 12th of 2024, this simple home Internet connection saw an average of 45,345 daily attacks. The attacks were relentless and steady, with the lowest day logging just over 43,000 and the highest day at around 49,000. This data underscores the urgency and importance of our work in understanding and mitigating network attacks.

For completeness, I also saw four IP-in-IP packets (IP Protocol 4) and eight GRE packets (IP Protocol 47).

Remember, this tool shows us the first portion of the attack so we can often identify what service it targets, even if it is against a non-standard port. So, out of 317,417 attacks during that week, 25,640 were attempts to exploit Microsoft RDP, but not just on port 3389. I can confidently say that attacks sourcing from 736 unique IPs made RDP exploit attempts against 12,312 different ports.

Because we can see the inbound attack, we can fingerprint the attacker’s tooling and identify IP addresses used in coordination. Because of this tool’s unique visibility, we can even recognize multiple IP addresses performing a coordinated scan across a range of ports.

You knew it was bad out there - now we can know just how bad.

This tool isn’t publicly available right now, as the techniques I used to create it are being patented. But if you’re interested in using it for research, reach out, and we can talk.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
October 22, 2024

P.S.: Just to add some additional context, that averages out to an attack every 1.9 seconds, all day, every day.

During that week, attacks targeted 30,194 unique ports, were 99.66% TCP, and sourced from 15,681 unique IP addresses.