Data packets travel to and from numbered network ports associated with particular IP addresses and endpoints, using the TCP or UDP transport layer protocols. All ports are potentially at risk of attack. No port is natively secure.
“Each port and underlying service has its risks. The risk comes from the version of the service, whether someone has configured it correctly, and, if there are passwords for the service, whether these are strong? There are many more factors that determine whether a port or service is safe,” explains Kurt Muhl, lead security consultant at RedTeam Security. Other factors include whether the port is simply one that attackers have selected to slip their attacks and malware through and whether you leave the port open.
CSO examines risky network ports based on related applications, vulnerabilities, and attacks, providing approaches to protect the enterprise from malicious hackers who misuse these openings.
What makes these ports risky?
There is a total of 65,535 TCP ports and another 65,535 UDP ports; we’ll look at some of the diciest ones. TCP port 21 connects FTP servers to the internet. FTP servers carry numerous vulnerabilities such as anonymous authentication capabilities, directory traversals, and cross-site scripting, making port 21 an ideal target.
While some vulnerable services have continuing utility, legacy services such as Telnet on TCP port 23 were fundamentally unsafe from the start. Though its bandwidth is tiny at a few bytes at a time, Telnet sends data completely unmasked in clear text. “Attackers can listen in, watch for credentials, inject commands via [man-in-the-middle] attacks, and ultimately perform Remote Code Executions (RCE),” says Austin Norby, computer scientist at the U.S. Department of Defense (comments are his own and don’t represent the views of any employer).
While some network ports make good entry points for attackers, others make good escape routes. TCP/UDP port 53 for DNS offers an exit strategy. Once criminal hackers inside the network have their prize, all they need to do to get it out the door is use readily available software that turns data into DNS traffic. “DNS is rarely monitored and even more rarely filtered,” says Norby. Once the attackers safely escort the data beyond the enterprise, they simply send it through their DNS server, which they have uniquely designed to translate it back into its original form.
The more commonly used a port is, the easier it can be to sneak attacks in with all the other packets. TCP port 80 for HTTP supports the web traffic that web browsers receive. According to Norby, attacks on web clients that travel over port 80 include SQL injections, cross-site request forgeries, cross-site scripting, and buffer overruns.
Sign up for CIO Asia eNewsletters.