August Port Scan Data

F5 Labs also analyzes data for TCP ports other than 80 and 443 from the Efflux network. The top 10 ports for August 2022 follow patterns we’ve been seeing for years, with port 5900 (VNC) topping the list, followed by a collection of ports used mainly for remote access (ssh, telnet, ftp, RDP) and some database and mail related ports as well. This month, SMB dropped out of the top ten (but was still at #13) and POP3 made an appearance, up from #16 the month prior.

Table 2. Port targeting data for August 2022.

Conclusions

Many of the trends that this scanning traffic represents are unsurprising. Attackers’ emphasis on remote code execution vulnerabilities, for instance, is predictable given the options that a successful exploit provides them. The continuing interest in IoT vulnerabilities means that we should echo the prediction we made about July attacker trends, which is that attackers are building up infrastructure for future DDoS attacks.

Finally, an examination of Figure 2 makes it clear that attacker interest is dynamic and unpredictable. There are too many variables at play, many of them hidden from view, for us to be able to predict with any confidence that a given vulnerability will become popular. The surge in scanning for CVE-2020-8958 is a great example: both in terms of rank and traffic volume, it was insignificant until it spiked in July. In the absence of any way to make specific predictions, timely reporting of observed events is probably as good as we are going to get. And with that slightly self-serving observation, we’ll sign off until next month.