hdmoore

2015: Project Sonar Wiki & UDP Scan Data

Blog Post created by hdmoore on Jan 1, 2015

Project Sonar started in September of 2013 with the goal of improving security through the active analysis of public networks. For the first few months, we focused almost entirely on SSL, DNS, and HTTP enumeration. This uncovered all sorts of interesting security issues and contributed to a number of advisories and research papers. The SSL and DNS datasets were especially good at identifying assets for a given organization, often finding systems that the IT team had no inkling of. At this point, we had a decent amount of automation in place, and decided to start the next phase of Project Sonar, scanning UDP services.

 

While we received a few opt-out requests for HTTP scans in the past, these were completely eclipsed by the number of folks requesting to be excluded after our UDP probes generated an alert on their IDS or firewall. Handling opt-out requests became a part-time job that was rotated across the Labs team. We tried and often succeeded at rolling out exclusions within a few minutes of receiving a request, but it came at the cost of getting other work done. At the end of the day, the value of the data, and our ability to improve public security depended on having consistent scan data across a range of services. As of mid-December, the number of opt-out requests has leveled off, and we had a chance to starting digging into the results.

 

There was some good news for a change:

  • VxWorks systems with an internet-exposed debug service have dropped from a peak of ~300,000 in 2010 to around ~61,000 in late 2014
  • Servers with the IPMI protocol exposed to the internet have dropped from ~250,000 in June to ~214,000 in December 2014
  • NTP daemons with monlist enabled have decreased somewhere between 25-50% (our data doesn't quite agree with ShadowServer's)

 

The bad news is that most of the other stats stayed relatively constant across six months:

  • Approximately 200,000 Microsoft SQL Servers are still responding to UDP pings and many of these are end-of-life versions
  • Over 15,000,000 devices expose SIP to the internet and about half of these are from a single vendor in a single region.

 

One odd trend was a consistent increase in the number of systems exposing NATPMP to the internet. This number has increased from just over 1 million in June to 1.3 million in December. Given that NATPMP is never supposed to be internet facing, this points to even more exposure 2015.

 

We conducted over 330 internet-wide UDP scans in 2014, covering 13 different UDP probes, and generating over 96 gigabytes of compressed scan data. All of this data is now immediately available along with a brand new wiki that documents what we scan and how to use the published data.

 

2015 is looking like a great year for security research!

 

-HD

Outcomes