Which are the most scanned ports?

What is a port?

Ever since computers are able to run more programs at the same time and can connect to modern networks, ports became important.

3 things are needed for the communication between two machines:

  • IP address of the host
  • Port number
  • Type of protocol (e.g. TCP, UDP)

A port number is a 16-bit number between 0 and 65535. There are some specific ports which identify some exact services, e.g. port 80 is used for HTTP communication.

Types of ports:

  • Well Known Ports: 0 – 1023
  • Registered Ports: 1024 – 49151
  • Dynamic/Private : 49152 – 65535

What is port scanning and what is it used for?

If we send a request to a port, we can get 3 types of results:

  • Open/Accepted: Reply from the host → a service is listening on that port
  • Closed/Denied/Not Listening: Reply from the host → connection is denied
  • Filtered/Dropped/Blocked: No reply from the host

The aim of the port scanning is to find open ports by sending requests to one or more ports. With this technique, administrators can check their network’s security policies. But it can be used for malicious purposes as well, that’s why this is one of the best „toys” of the hackers.

If they can find an open port, that makes it very easy for them to exploit the vulnerabilities of that service.

It’s like when a burglar wants to break into a house. What will s/he do first? Go around the house to check if there are any open windows or doors. If he finds one, of course, he’ll go into the house there and won’t try to open a closed door. Once he is inside, he can steal whatever he wants.

So port scanning means shortly: find the weakest point on the system.

Types of port scanning

  • Vanilla: Connecting to all ports (0-65535)
  • Strobe: Connecting to only some ports (under 20 selected ports)
  • Stealth Scan: Avoid logging the scan attempt
  • FTP Bounce Scan: Disguise the cracker’s location on a File Transfer Protocol server
  • Fragmented Packets: It sends packet fragments in order to check whether it can bypass simple packet filters in the firewall
  • UDP Scan: Port scanning on User Datagram Protocol ports
  • Port sweeping: Scanning only 1 port on more computers

Most scanned ports

Since the 1.18.8. agent version of BitNinja, we log which port has been scanned.

According to our statistics* the Top5 scanned ports are the following:

Rank Port number Rate
1. 23 73,11%
2. 445 16,73%
3. 1433 3,05%
4. 2323 1,75%
5. 110 0,97%

*Between 2017.11.22. and 2017.12.19.

Let’s visualize the data:

As you can see, the 23 Telnet port is the leader of this „competition”. BitNinja detected more than 5 million port scan attempts on it in only 1 week (2017.12.12-2017.12.19).

It shows us that the most port scans are coming from Japan. If you’d like to find out more about the port scan attacks on your server, go to the Dashboard / Network attacks and choose the BL_PORT_HONEYPOT_BADPORT incident type.

You can set additional details like date range, country, IP address, and server.

Why are attackers scanning these ports?

  • Port 23 (Telnet): This is a very old service which was used to remotely access a server. Nowadays it’s very rarely used but if a hacker tries a thousand times and succeeds only once, he can consider himself lucky, because he may gain root access.
  • Port 445: Same as port 23, it’s used for remote access on Windows hosts.
  • Port 1433: Microsoft SQL Server database uses this port.
  • Port 2323: As it’s well-known that port 23 is very vulnerable, some people try to be „tricky” and use port 2323 for the same purpose as port 23. It’s a very lazy solution and hackers know about this, that’s why they usually scan this port too.
  • Port 110: POP3 service is running on this port. Post Office Protocol (POP) is used for reading emails, so if hackers can break in to this port, they can have access to the emails.
  • Port 8080: port 80 is used for HTTP connections and usually it’s used as the frontend, while 8080 is mostly used for backend systems and admin panels. If your password is weak here, hackers will be able to login easily and gain access to your data.

How can you prevent being hacked because of port scanning?

The most important is to filter those ports which you don’t use. For example, if you don’t use Telnet, you can close the port 23 and port 2323.

Also, keep the services up-to-date on those ports that you actually use, and make sure to use a secure password, not just an admin-admin pair. 🙂

Our concept is that prevention is always better than fixing a problem afterward. Our Port Honeypot module is created to identify port scans. If you want to read more about how honeypots work, check out our previous article.

Here is a real example how BitNinja caught a Telnet port scanning:

If you haven’t installed BitNinja on your servers yet, let’s try the Port Honeypot (and all the other modules) with our 7-day free trial.

Got a question or feedback? Tell us under the article!