LZR: Identifying Unexpected Internet Services - Archive ouverte HAL Access content directly
Conference Papers Year : 2021

LZR: Identifying Unexpected Internet Services

(1) , (2, 3) , (1)
1
2
3

Abstract

Internet-wide scanning is a commonly used research technique that has helped uncover real-world attacks, find cryptographic weaknesses, and understand both operator and miscreant behavior. Studies that employ scanning have largely assumed that services are hosted on their IANA-assigned ports, overlooking the study of services on unusual ports. In this work, we investigate where Internet services are deployed in practice and evaluate the security posture of services on unexpected ports. We show protocol deployment is more diffuse than previously believed and that protocols run on many additional ports beyond their primary IANA-assigned port. For example, only 3% of HTTP and 6% of TLS services run on ports 80 and 443, respectively. Services on non-standard ports are more likely to be insecure, which results in studies dramatically underestimating the security posture of Internet hosts. Building on our observations, we introduce LZR ("Laser"), a system that identifies 99% of identifiable unexpected services in five handshakes and dramatically reduces the time needed to perform application-layer scans on ports with few responsive expected services (e.g., 5500% speedup on 27017/MongoDB). We conclude with recommendations for future studies.
Fichier principal
Vignette du fichier
lzr.pdf (1.1 Mo) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-03143737 , version 1 (17-02-2021)

Identifiers

  • HAL Id : hal-03143737 , version 1

Cite

Liz Izhikevich, Renata Teixeira, Zakir Durumeric. LZR: Identifying Unexpected Internet Services. USENIX Security 2021 - 30th USENIX Security Symposium, Aug 2021, Vancouver / Virtual, Canada. ⟨hal-03143737⟩
100 View
142 Download

Share

Gmail Facebook Twitter LinkedIn More