The internet can be a dark place. There are plenty of bad actors who'd like to take control of your devices to do their dirty work, whether that's DDoS attacks, ransomware, or malicious crypto mining.
Sandvine solutions are deployed across the world, in hundreds of countries, and in almost any kind of network you can think of. What this means is that we have virtually unmatched visibility into what's happening on the internet, and we use this visibility to publish our Global Internet Phenomena Reports.
Recently, we found a very interesting phenomena across multiple ISPs in different continents. There seemed to be an unusually high number of subscribers with a very small amount of Steam server traffic...71 bytes of Steam server traffic to be precise. In some networks every single subscriber exhibited this behavior. After investigating this across different networks and regions we arrived at a familiar culprit — port scanners. These servers were sending a 71 byte Steam server initiation to every single IP they could get their hands on.
What makes these port scanners special are the sheer magnitude of how many subscribers are being hit. In certain cases, every single subscriber in a network was being hit, and this was happening in multiple tier 1 networks in the US, Canada, and Asia.
So, who is behind all of this? Well, we found a handful of servers, most of them located in China (Zhejiang province to be precise). These are known malicious port scanners and Steam isn't the only thing they're scanning.
Here are two such malicious port scanning servers that we identified – but there are more of them out there and not all of them in China:
22.214.171.124, Wenzhou, Zhejiang province, China
126.96.36.199, Wenzhou, Zhejiang province, China
Here's a snapshot of some of the applications they're scanning on different ports:
These servers have been doing widespread port scanning since at least November 2018. The most disturbing fact is that they've built up a database of subscriber IPs that runs into the hundreds of millions, and have already collected lots of valuable information about unsuspecting subscribers. It's difficult to predict what they'll do with this data and when — but it is likely that they're already selling this information on the Darkweb, where it will be used for targeted DDoS attacks, Bitcoin mining attacks, and a variety of other attacks or attempts at infiltrating and taking control of user data, software, and, in some cases, even hardware. The valve source engine query flood is a known attack against gaming servers, which is just one of the potential attacks such port scanning can enable.
Every ISP knows that port scanners exist, but clearly not enough is being done to prevent or mitigate such widespread attacks. If you wait until a DDoS attack (or any one of the other possible vulnerabilities) actually happens, then you've waited too long.
So, it's time to take action and protect your network and your subscribers. It’s also the time to introspect. Do you know who's out there scanning the internet darkly for information on your subscribers?