A week in the life of a GreyNoise Sensor: It's all about the tags

To ensure we have as much visibility into activity on the internet as possible, we regularly deploy new sensors in different “geographical” network locations. We’ve selected two sensors for a short “week in the life” series to give practitioners a glimpse into what activity new internet nodes see. This series should help organizations understand the opportunistic and random activity that awaits newly deployed services, plus help folks understand just how little time you have to ensure internet-facing systems are made safe and resilient.

We initially took a look at what the sources of "benign" traffic are slinging your way. Today, we're going to look at the opposite end of the spectrum. We stripped away all the benign sources from the same dataset and focused on incoming tagged traffic from malicious or unknown sources. After all, these detection rules are the heart and soul of the GreyNoise platform, and are also what our customers and community members depend upon to keep their organizations safe.

The "not-so-benign" perspective

If we hearken back to our previous episode, it took over an hour for even the best-of-the-best of the "benigns" to discover our freshly deployed nodes. This makes sense, since there aren't too many legitimate organizations conducting scans, and they do not have infinite resources. Sure, they could likely spare some change to scan more frequently, but they really don't need to.

In contrast, we tagged 8,697 incoming IP addresses in that first week, and the first packet of possible ill-intent appeared ten seconds after the nodes were fully armed and operational. However, the first tagged event — RDP Alternative Port Crawler — was seen three hours later. The difference between those two events lies in one of our core promises: our tags are 100% reliable. We don't just take every IP address hitting our unannounced sensor nodes and shove it into a list of indicators of compromise (IoCs).

Tagged Malicious Traffic Started Coming In As Soon As The Sensors Were Functional

217,852 total malicious/unknown events encountered during the ~7.8 day sampling period.

The above chart is the raw, non-benign connection data to those sensors for that week. You're likely wondering what those spikes are. We did to!

Let's look at some summary data by tallies of:

  • autonomous system organization (aso) — the name of the network the connections came from
  • geolocated country
  • destination port
  • source IPv4
  • total connections

The Four Largest "Spike" Hours Had Mostly Similar Characteristics

The August 28th malicious traffic spike (for an hour) focused mainly on SMB exploits, and originated from the "Data Communication Business Group" autonomous system in Taiwan. It is odd that we saw so little other activity, and that the port volume was an order of magnitude less. There are any number of reasons for this. Given where these sensors are (which we're not disclosing), it could have been a day of deliberate country network isolation. Or, it could just mean that the botnet herders were super-focused on SMB.

Over the course of those seven days, non-benign nodes hit over thirteen-thousand ports, and you can likely guess which ones made the top of the list.

We Saw The Usual Suspects Rise To The Top Of 13,576 Ports

Port numbers associated with Telnet, RDP, SSH, and SMB were, by far, the most common.

Since we called out one autonomous system, we should be fair and call them all out.

If You've Ever Stared At An IPv4 IoC List, You Definitely Recognize These Folks

These are very common autonomous systems to see in malicious attack logs. What should concern you, however, is that "high reputation" sources such as Linode, OVH SAS, Google LLC, and Microsoft Corporation are all in the visible treemap cells. Even if you don't consider them as high reputation sources, you cannot permanently block communication to/from them. These are all hosting providers, and we see other hosting providers with decent IP reputation also hosting malicious traffic sources. The hourly updated nature of our API-downloadable block lists, combined with the scheduled roll off of IP addresses when they stop sporting malicious activity after a while, means you can make your organization safe from these IPs while they are trying to do harm.

It's all about the tags

What you, and we, truly care about is the tagged, non-benign traffic.

The Tagged Traffic Distribution Takes A Familiar Shape

Of the 115 identified tags, those associated with RDP, SMB, and MS SQL attacks topped the list, along with scrapers looking for useful information. If you still haven't removed RDP from your perimeter, please stop reading and take the opportunity to do so now.

Head on over to the Observable notebook that houses all these charts and data for a more interactive version of the chart and data tables.

You can see the aforementioned yellow SMBv1 Crawler August 28th spike right after "12 PM".

Key Takeaways

When you deploy a new internet-facing system, you have only seconds until unwanted traffic comes knocking on your door. After that, there's a constant drumbeat, and sometimes even an entire off-key orchestra, of unsought after:

  • benign traffic attempting to maintain an inventory of internet-connected devices and services;
  • malicious traffic with a laundry list of goals to achieve; and,
  • unknown traffic that could be something we and the rest of the cybersecurity community have not yet identified as malicious, but is definitely something your apps and other services might not be able to handle.

You can sign up for a GreyNoise account to start exploring the tags and networks identified in this post, and check out some of our freshly minted new features such as IP Similarity — which lets you hunt for bad actors exhibiting behavior similar to ones we've tagged — and, IP Timeline — where you can see what sources have been up to, and how their behavior has changed over time.