Commonly Attacked Ports, Protocols & Malicious IPs
In this page, we will be going through the commonly attacked ports, protocols, and malicious ip addresses to lookout for.
Commonly Attacked Ports
Ports 20 and 21 (FTP)
They are File Transfer Protocol (FTP) ports that let users send and receive files from servers.
FTP is known for being outdated and insecure. As such, attackers frequently exploit it through:
- Brute-forcing passwords
- Anonymous authentication (it’s possible to log into the FTP port with “anonymous” as the username and password)
- Cross-site scripting
- Directory traversal attacks
Port 22 (SSH)
Port 22 is for Secure Shell (SSH). It’s a TCP port for ensuring secure access to servers. Hackers can exploit port 22 by using leaked SSH keys or brute-forcing credentials.
Port 23 (Telnet)
Port 23 is a TCP protocol that connects users to remote computers. For the most part, Telnet has been superseded by SSH, but it’s still used by some websites. Since it’s outdated and insecure, it’s vulnerable to many attacks, including credential brute-forcing, spoofing and credential sniffing.
Port 25 (SMTP)
Port 25 is a Simple Mail Transfer Protocol (SMTP) port for receiving and sending emails. Without proper configuration and protection, this TCP port is vulnerable to spoofing and spamming.
Port 53 (DNS)
Port 53 is for Domain Name System (DNS). It’s a UDP and TCP port for queries and transfers, respectively. This port is particularly vulnerable to DDoS attacks.
Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)
HTTP and HTTPS are the hottest protocols on the internet, so they’re often targeted by attackers. They’re especially vulnerable to cross-site scripting, SQL injections, cross-site request forgeries and DDoS attacks.
Ports 1433,1434 and 3306 (Used by Databases)
These are the default ports for SQL Server and MySQL. They are used to distribute malware or are directly attacked in DDoS scenarios. Quite often, attackers probe these ports to find unprotected database with exploitable default configurations.
Port 3389 (Remote Desktop)
This port is used in conjunction with various vulnerabilities in remote desktop protocols and to probe for leaked or weak user authentication. Remote desktop vulnerabilities are currently the most-used attack type; one example is the BlueKeep vulnerability.
Malicious IP addresses
Some examples are as shown. Credits - https://www.projecthoneypot.org/list_of_ips.php . This website provides a detailed list of the malicious IP address. It not only specifies the country but also upon clicking on the IP address, it redirects you to a page explaining why the IP address is considered malicious and suspicious.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Malicious IP addresses never stay the same, they keep changing from time to time. Hence, it is advised to check out this link for the latest malicious IP addresses. These IP address list is updated once every 2 weeks.
Commonly Attacked Protocols
SSH (Secure Shell):
SSH, or Secure Shell, is commonly used for secure remote login and command execution on servers and network devices. It is frequently targeted by attackers who employ brute force attacks to guess passwords or exploit vulnerabilities to gain unauthorized access. SSH is an attractive target because it provides direct access to system administration and sensitive operations. This high level of access can allow attackers to execute malicious commands, steal data, or pivot to other parts of the network. The vulnerability of SSH is exacerbated by weak passwords, outdated software, and improper configurations, making it a priority for securing within any network.
FTP (File Transfer Protocol):
FTP, or File Transfer Protocol, is used to transfer files between a client and a server over a network. Attackers commonly target FTP to steal credentials, intercept data, and exploit vulnerabilities in the protocol or software. The protocol is often targeted because it frequently transmits data, including login credentials, in plaintext, making it susceptible to interception and man-in-the-middle attacks. Many FTP servers also suffer from weak authentication mechanisms and improper security configurations. These weaknesses make FTP an easy target for attackers looking to gain unauthorized access to sensitive information.
RDP (Remote Desktop Protocol):
RDP, or Remote Desktop Protocol, is used for remote access to Windows desktops and servers, allowing users to control a computer over a network as if they were sitting right in front of it. This makes RDP a prime target for attackers who use brute force attacks to gain access, exploit vulnerabilities in the RDP service, or leverage stolen credentials to infiltrate systems. The allure of RDP lies in its provision of full control over a remote system, which can be exploited to deploy malware, ransomware, or exfiltrate data. Misconfigured RDP settings and the lack of strong authentication further increase its vulnerability, making it essential to implement robust security measures to protect systems utilizing RDP.