One of the side effects of social distancing and self-quarantining due to COVID-19 was a large increase in the use of VPNs (and, in some cases, different remote access protocols, such as RDP or SSH) by companies around the world, so that their employees might work from home.
I was wondering how large this increase would be when compared to the usual state of affairs. To determine this, I took a look at data I gathered from Shodan over the course of March and made couple of - hopefully interesting - charts.
Before we get to them, however, I should mention that simply looking at absolute numbers gathered from Shodan wouldn’t give us much due to the way Shodan operates (for more details, take a look at my diary about patching BlueKeep). Therefore, while Shodan saw a significant absolute increase in open ports/detected IPs in March (almost 12% rise in detected IP addresses globally), we will take a look at both absolute and the relative values - counts as well as percentages of all IPs globally/in a specific country, which have a certain port open.
If you’re interested in how the situation looked before, I’ll add that Shodan itself recently released an article with analysis of some of the trends they saw from the start of July 2019 to the end of January 2020. You may find it here.
One last thing I will mention before we get to “the good stuff” is that I didn’t include all the countries, for which I have data, in the charts, since that would make the post too large. If data for your country isn’t included in the charts and you would like to see how the situation changed where you live, get in touch with me and if I have the data, I’ll try to add a chart for your country as well.
Now, let’s take a look at the charts themselves. I picked the ports which have seen a high significant absolute increase globally - namely ports 22 (SSH), 80 (HTTP), 443 (HTTPS and many TLS-based services and VPN solutions) and 3389 (RDP). Unfortunatelly, I don’t have data for the usual VPN ports and related services (IKE, PPTP, etc.), but I assume that the jump in those was similarly significant as the one in TLS.
Here is the list of countries for which charts are available:
- Global data
- Czech Republic
- Great Britain
In addition to the ports mentioned above, on a global level we will take a look at SMB as well. There has been a signifficant increase in SMB open to the internet and, unfortunatelly, that was true even for SMBv1 on Windows.
As we may see, although there was a significant absolute increase in IPs which offer the protocols and services we were interested in, the percentage of IPs offering these protocols actually went down in cases of SSH and RDP. As the following charts demonstrate, this trend held for some countries as well, but not all of them.