As part of developing one of our internal tools, we needed to have the latest data on what happens to the average server on the Internet. On a high level, we wanted to know the most commonly targeted services "in the wild", and the geographical distribution of the sources of these attempts.
We've set up a server and monitored network activities on it for a week. This post is a summary of our findings.
- The server was set up with an external IPv4 address from AWS' IP pool for the ap-southeast-2 region
- Data was collected for every TCP connection attempts for 168 hours between 13/09/2020 and 20/09/2020. These included compromise attempts as well as simple port scans
- Overall, the server registered 58339 attempts. These came from 10103 different IP addresses
- We've managed to attribute ~20% of all attempts to Internet-wide security research projects and scanning engines like Shodan or Censys
- The events showed a fairly even distribution in time, without any significant burst
The 20 most targeted services were the following:
We see the usual suspects here (with some exceptions), mainly bots targeting remote management and other potentially high-value services.
The complete list of targeted services (with at least 10 connection attempts):
The complete geographical distribution of the attempts was the following:
According to IP geolocation, the following 20 countries originated the most attempts: