Skip to Main content Skip to Navigation
Conference papers

LZR: Identifying Unexpected Internet Services

Abstract : Internet-wide scanning is a commonly used research technique that has helped uncover real-world attacks, find cryptographic weaknesses, and understand both operator and miscreant behavior. Studies that employ scanning have largely assumed that services are hosted on their IANA-assigned ports, overlooking the study of services on unusual ports. In this work, we investigate where Internet services are deployed in practice and evaluate the security posture of services on unexpected ports. We show protocol deployment is more diffuse than previously believed and that protocols run on many additional ports beyond their primary IANA-assigned port. For example, only 3% of HTTP and 6% of TLS services run on ports 80 and 443, respectively. Services on non-standard ports are more likely to be insecure, which results in studies dramatically underestimating the security posture of Internet hosts. Building on our observations, we introduce LZR ("Laser"), a system that identifies 99% of identifiable unexpected services in five handshakes and dramatically reduces the time needed to perform application-layer scans on ports with few responsive expected services (e.g., 5500% speedup on 27017/MongoDB). We conclude with recommendations for future studies.
Document type :
Conference papers
Complete list of metadata
Contributor : Renata Teixeira Connect in order to contact the contributor
Submitted on : Wednesday, February 17, 2021 - 2:09:16 AM
Last modification on : Friday, January 21, 2022 - 3:16:41 AM
Long-term archiving on: : Tuesday, May 18, 2021 - 6:19:22 PM


Files produced by the author(s)


  • HAL Id : hal-03143737, version 1


Liz Izhikevich, Renata Teixeira, Zakir Durumeric. LZR: Identifying Unexpected Internet Services. USENIX Security 2021 - 30th USENIX Security Symposium, Aug 2021, Vancouver / Virtual, Canada. ⟨hal-03143737⟩



Les métriques sont temporairement indisponibles