Open ports in the Time of Corona

02-04-2020 / In categories News, 2020

COVID-19, HTTP, HTTPS, RDP, SSH, SSL, Shodan, TLS

Translation: CS

One of the side effects of social distancing and self-quarantining due to COVID-19 was a large increase in the use of VPNs (and, in some cases, different remote access protocols, such as RDP or SSH) by companies around the world, so that their employees might work from home. I was wondering how large this increase would be when compared to the usual state of affairs. To determine this, I took a look at data I gathered from Shodan over the course of March and made couple of - hopefully interesting - charts.

Before we get to them, however, I should mention that simply looking at absolute numbers gathered from Shodan wouldn’t give us much due to the way Shodan operates (for more details, take a look at my diary about patching BlueKeep). Therefore, while Shodan saw a significant absolute increase in open ports/detected IPs in March (almost 12% rise in detected IP addresses globally), we will take a look at both absolute and the relative values - counts as well as percentages of all IPs globally/in a specific country, which have a certain port open.

If you’re interested in how the situation looked before, I’ll add that Shodan itself recently released an article with analysis of some of the trends they saw from the start of July 2019 to the end of January 2020. You may find it here.

One last thing I will mention before we get to “the good stuff” is that I didn’t include all the countries, for which I have data, in the charts, since that would make the post too large. If data for your country isn’t included in the charts and you would like to see how the situation changed where you live, get in touch with me and if I have the data, I’ll try to add a chart for your country as well.

Now, let’s take a look at the charts themselves. I picked the ports which have seen a high significant absolute increase globally - namely ports 22 (SSH), 80 (HTTP), 443 (HTTPS and many TLS-based services and VPN solutions) and 3389 (RDP). Unfortunatelly, I don’t have data for the usual VPN ports and related services (IKE, PPTP, etc.), but I assume that the jump in those was similarly significant as the one in TLS.

Here is the list of countries for which charts are available:

Global situation

In addition to the ports mentioned above, on a global level we will take a look at SMB as well. There has been a signifficant increase in SMB open to the internet and, unfortunatelly, that was true even for SMBv1 on Windows.

Global situation - SSH

Global situation - HTTP

Global situation - HTTPS

Global situation - SMB

Global situation - RDP

As we may see, although there was a significant absolute increase in IPs which offer the protocols and services we were interested in, the percentage of IPs offering these protocols actually went down in cases of SSH and RDP. As the following charts demonstrate, this trend held for some countries as well, but not all of them.

Australia

Australia - SSH

Australia - HTTP

Australia - HTTPS

Australia - RDP

Canada

Canada - SSH

Canada - HTTP

Canada - HTTPS

Canada - RDP

Czech Republic

Czech Republic - SSH

Czech Republic - HTTP

Czech Republic - HTTPS

Czech Republic - RDP

Great Britain

Great Britain - SSH

Great Britain - HTTP

Great Britain - HTTPS

Great Britain - RDP

Germany

Germany - SSH

Germany - HTTP

Germany - HTTPS

Germany - RDP

China

China - SSH

China - HTTP

China - HTTPS

China - RDP

Italy

Italy - SSH

Italy - HTTP

Italy - HTTPS

Italy - RDP

Netherlands

Netherlands - SSH

Netherlands - HTTP

Netherlands - HTTPS

Netherlands - RDP

Romania

Romania - SSH

Romania - HTTP

Romania - HTTPS

Romania - RDP

Russia

Russia - SSH

Russia - HTTP

Russia - HTTPS

Russia - RDP

Slovakia

Slovakia - SSH

Slovakia - HTTP

Slovakia - HTTPS

Slovakia - RDP

Spain

Spain - SSH

Spain - HTTP

Spain - HTTPS

Spain - RDP

USA

USA - SSH

USA - HTTP

USA - HTTPS

USA - RDP