At the beginning of 2020, Rapid7 and other researchers began noticing increased scanning activity against a variety of TCP ports. Through our daily monitoring of connections to our Heisenberg honeynet, as well as discussions with other community members such as Andrew Morris of GreyNoise, we felt confident that we were seeing something new—certainly not part of our “normal” traffic to the honeypots. The first public mention of this activity was actually on Jan. 3, when @Andrew__Morris tweeted:
Over the following weeks, we noticed strange behavior on some ports like TCP 123, but had not noticed a continued phenomenon until March. On March 5, Greynoise again confirmed that they were also seeing the same sustained behavior we had seen in January and February.
Once March hit, we were seeing consistently high numbers of unique IP addresses connecting to our honeypots. Primarily, we observed incredibly high volumes of SYN scanning activity against these TCP ports:
21 (FTP)
22 (SSH)
23 (Telnet)
25 (SMTP)
53 (DNS, more commonly seen on UDP RFC5966)
80 (HTTP)
110 (POP3)
123 (NTP, more commonly seen on UDP RFC5905)
443 (HTTPS)
The graph below shows the pattern of activity, namely the sharp spikes and sustained increase in the number of distinct IP addresses seen scanning these ports every day.
We have also seen the same activity against these ports, which later dropped off in April.
110 (POP3)
123 (NTP)
3389 (RDP)
5060 (SIP)
7547 (TR-069)
8080 (HTTP-alt)
We suspect that other ports have been included on certain days, but they have not been as consistently uniform in their source IP vol ..
Support the originator by clicking the read the rest link below.
