Which are the most scanned ports?
Eniko Toth

Which are the most scanned ports?

What is a port?

Ever since computers are able to run more programs at the same time and can connect to modern networks, ports became important.

3 things are needed for the communication between two machines:

  • IP address of the host
  • Port number
  • Type of protocol (e.g. TCP, UDP)

client and server port number by service and connection (tcp or udp)


A port number is a 16-bit number between 0 and 65535. There are some specific ports which identify some exact services, e.g. port 80 is used for HTTP communication.

Types of ports:

  • Well Known Ports: 0 - 1023
  • Registered Ports: 1024 - 49151
  • Dynamic/Private : 49152 - 65535

What is port scanning and what is it used for?

If we send a request to a port, we can get 3 types of results:

  • Open/Accepted: Reply from the host → a service is listening on that port
  • Closed/Denied/Not Listening: Reply from the host → connection is denied
  • Filtered/Dropped/Blocked: No reply from the host

The aim of the port scanning is to find open ports by sending requests to one or more ports. With this technique, administrators can check their network’s security policies. But it can be used for malicious purposes as well, that’s why this is one of the best „toys” of the hackers.

If they can find an open port, that makes it very easy for them to exploit the vulnerabilities of that service.

It’s like when a burglar wants to break into a house. What will s/he do first? Go around the house to check if there are any open windows or doors. If he finds one, of course, he’ll go into the house there and won’t try to open a closed door. Once he is inside, he can steal whatever he wants.

So port scanning means shortly: find the weakest point on the system.

Types of port scanning

  • Vanilla: Connecting to all ports (0-65535)
  • Strobe: Connecting to only some ports (under 20 selected ports)
  • Stealth Scan: Avoid logging the scan attempt
  • FTP Bounce Scan: Disguise the cracker’s location on a File Transfer Protocol server
  • Fragmented Packets: It sends packet fragments in order to check whether it can bypass simple packet filters in the firewall
  • UDP Scan: Port scanning on User Datagram Protocol ports
  • Port sweeping: Scanning only 1 port on more computers

Most scanned ports

Since the 1.18.8. agent version of BitNinja, we log which port has been scanned. 

According to our statistics* the Top5 scanned ports are the following:

Rank
Port number
Rate
1.
23
73,11%
2.
445
16,73%
3.
1433
3,05%
4.
2323
1,75%
5.
110
0,97%

*Between 2017.11.22. and 2017.12.19.


Let’s visualize the data:


distribution of port scannings; most scanned ports in 2017 december


As you can see, the 23 Telnet port is the leader of this „competition”. BitNinja detected more than 5 million port scan attempts on it in only 1 week (2017.12.12-2017.12.19).

It shows us that the most port scans are coming from Japan. If you’d like to find out more about the port scan attacks on your server, go to the Dashboard / Network attacks and choose the BL_PORT_HONEYPOT_BADPORT incident type.


BitNinja dashboard Network attacks menu point; analyze attack types


You can set additional details like date range, country, IP address, and server.

Why are attackers scanning these ports?

  • Port 23 (Telnet): This is a very old service which was used to remotely access a server. Nowadays it’s very rarely used but if a hacker tries a thousand times and succeeds only once, he can consider himself lucky, because he may gain root access.
  • Port 445: Same as port 23, it’s used for remote access on Windows hosts.
  • Port 1433: Microsoft SQL Server database uses this port.
  • Port 2323: As it’s well-known that port 23 is very vulnerable, some people try to be „tricky” and use port 2323 for the same purpose as port 23. It’s a very lazy solution and hackers know about this, that’s why they usually scan this port too.
  • Port 110: POP3 service is running on this port. Post Office Protocol (POP) is used for reading emails, so if hackers can break in to this port, they can have access to the emails.
  • Port 8080: port 80 is used for HTTP connections and usually it’s used as the frontend, while 8080 is mostly used for backend systems and admin panels. If your password is weak here, hackers will be able to login easily and gain access to your data.

How can you prevent being hacked because of port scanning?

The most important is to filter those ports which you don’t use. For example, if you don’t use Telnet, you can close the port 23 and port 2323.

Also, keep the services up-to-date on those ports that you actually use, and make sure to use a secure password, not just an admin-admin pair. :)

Our concept is that prevention is always better than fixing a problem afterward. Our Port Honeypot module is created to identify port scans. If you want to read more about how honeypots work, check out our previous article.

Here is a real example how BitNinja caught a Telnet port scanning:


telnet port scan captured by BitNinja


If you haven’t installed BitNinja on your servers yet, let’s try the Port Honeypot (and all the other modules) with our 7-day free trial.


Got a question or feedback? Tell us under the article!

Share your ideas with us about this article

Previous posts

2018 Cybersecurity Trends
The number of cybersecurity breaches experienced in 2017 were really high, hackers kept themselves busy – just think about the WannaCry ransomware infecting Windows PCs. Furthermore, 2018 is almost here, and the future definitely holds many changes for you, Linux server operators, in the field of cybersecurity. As security always comes first, now it’s time to have a look at some upcoming trends that are expected in the next year. We only can hope that these trends would open the eyes and help increase cybersecurity efforts to make the Internet a safer place. Let’s dive in without w...
Software-defined storage pool
At Virtualization Day 2017 in Budapest, Hungary, we saw pretty good presentations about a different type of virtualizations and architecture concepts. In forenoon, Gergely Rab from Dell have shown us some very useful tools and solutions for software-defined storage architecture. One of these products is ScaleIO, which utilizes standard x86 servers and Ethernet network. In a standard lifecycle, you firstly plan and deploy your new array, then expand and optimize the storage. When the array comes to the end of its life, the process begins again, and you’ll also have to migrate your data...