For fun I decided to see whether I can figure out how many Minecraft players are online at the moment. And it turns out that it's fairly straight-forward so here's how I did it.

As of now June 1st 2017 at 18:55 there are 96,418 players online on public servers.

To get started I downloaded the latest list of Minecraft servers from Shodan:

shodan download --limit -1 minecraft-servers product:minecraft port:25565

Now the next task is to parse that list of servers and request the number of players that are currently online. To speed things up the plan is to asynchronously perform the requests to the Minecraft servers using the gevent library in Python. It lets you write code that looks synchronous but actually runs asynchronously which means you can perform many connections in parallel. This is the usual template I use when grabbing a bunch of data using gevent:

#!/usr/bin/env python
#
# Shodan Async Workers

## Configuration
NUM_WORKERS = 100


# Make the stdlib async. This is where the gevent magic happens
import gevent.monkey
gevent.monkey.patch_all(subprocess=True, sys=True)


from gevent.pool import Pool
from shodan.helpers import iterate_files
from socket import setdefaulttimeout, socket, AF_INET, SOCK_STREAM

setdefaulttimeout(2.0)

def worker(banner):
    # Here's where you do the network stuff
    # Example:
    # con = socket(AF_INET, SOCK_STREAM)
    # con.connect((banner['ip_str']
    # con.send('hello world\n')
    # data = con.recv(5120)
    return True

def main(files):
    pool = Pool(NUM_WORKERS)

    # Loop through the banners in the file(s) and launch a worker
    # for each banner. When the pool is full it will cause the loop to
    # block until a worker finishes and opens up a spot in the pool.
    for banner in iterate_files(files):
        pool.spawn(worker, banner)

    # Wait for the workers to finish up
    pool.join()

    return True


if __name__ == '__main__':
    import sys
    sys.exit(main(sys.argv[1:])

If you're working with Shodan data files I recommend checking out the shodan.helpers.iterate_files() method since it'll make it easy for you to access the banners. You can give it either a single file:

for banner in iterate_files('minecraft-data.json.gz'):
    ...

Or you can provide it a list of files:

for banner in iterate_files(['minecraft-2017-04.json.gz', minecraft-2017-05.json.gz']):
    ...

To get the player count I added a method in the worker() that looks up the Minecraft info based on their current protocol and kicked it off:

$ python global-player-count.py minecraft-data.json.gz
96418

And that's how I'm now keeping track of how many players are at any moment online on Minecraft!

Note that this method only looks at Minecraft servers running on the default port (25565) and that are publicly-accessible on the Internet.

A common reaction I get when talking about devices exposed on the Internet is something like the following:

Specifically, the idea that running the service (in this case Minecraft) on a non-standard port is a good way to stay hidden. In security circles this is also known as the concept of security by obscurity, and it's considered a largely ineffective, deprecated idea. What's worse is that it might give you the owner of the server/ device a false sense of security. For example, lets take a look at people running OpenSSH on a non-standard port (i.e. "product:openssh -port:22"):

The top 10 non-standard ports for OpenSSH are:

1. 2222
2. 5000
3. 23
4. 9999
5. 26
6. 666
7. 2323
8. 5555
9. 4444
10. 10001

These numbers don't look that random to me... Right away you should realize that your random choice of non-standard port might not be so unique. Port 2222 is popular the same way that HTTP on port 8080 is popular, and it's also the default port for the Kippo honeypot though I doubt that many people are running honeypots. The next most popular port is 5000, which didn't follow the same pattern as the other ports to me (repeating/ symmetric numbers). And it was around the same time that I realized that Australia was the 2nd most popular country to run OpenSSH on a non-standard port. I decided to take a closer look at Australia, and it turns out that there are nearly the same amount of servers running OpenSSH on port 5000 as they are on the default port 22. About 68,000 devices are running on the default port, and 54,000 on port 5000. Since they're running on a non-standard port Shodan wasn't grabbing the SSH fingerprint or showing more detailed information in the banner, so I checked a few devices manually and they all had the same fingerprint:

5b:a2:5a:9a:91:28:60:9c:92:2b:9e:bb:7f:7c:2e:06

And I inadvertently stumbled across the same issue as a while ago: Duplicate SSH Keys Everywhere. This time it appears that the Australian ISP BigPond installs/ configures networking gear that not only runs OpenSSH on port 5000 (most likely for remote management) but also has the same SSH keys installed on all of them. The devices also happen to run an old version of OpenSSH that was released on September 4th 2007. There's no guarantee that running OpenSSH on the default port would've made them more security conscious, but their installation of ~54,000 devices is 25% of the total number of OpenSSH servers on the Internet running version 4.7 (sidenote: the most popular version of OpenSSH is 5.3).

The Minecraft user does mention simple things you can do to improve the security of your device: add a whitelist and change the default credentials. They're easy to do and make a big difference to prevent your device from becoming an easy target!

Shodan crawls a lot of different ports and it's most known for the Internet of Things devices it uncovers, but did you know that Shodan also tracks Minecraft servers? Lets start out by seeing which countries most of the Minecraft servers are hosted in and which provider is most popular.

There are around 115,000 Minecraft Servers on the Internet at the moment running on the default port of 25565. Interestingly, the majority of servers are actually located in Germany. And so it's not a great surprise that the most popular hosting provider for Minecraft is Link11. Link11 though mostly just offers colocation/ datacenter services, but looking at the Minecraft banners from Link11's IP space let me know that the company behind these servers is Nitrado. I hadn't heard of them before, but based on these numbers they're the most popular way to host Minecraft!

Want to find a nearby server with a good ping that supports CraftBukkit 1.7.9? No problem, just search Shodan:

port:25565 minecraft CraftBukkit 1.7.9

The banner returns a bunch of cool information that can let us understand how most people setup/ configure their Minecraft server.

To get started, lets download the data using the shodan command-line tool:

shodan download --limit -1 minecraft-data "port:25565 minecraft after:01/03/2015"

The above command will download all available data on Minecraft servers that were discovered after March 1st, 2015. This means they were recently found and should be representative of what's currently being used. I was curious to see how many players most of the servers support:

shodan parse --fields data minecraft-data.json.gz | \ # Grab the data
    sed -e 's/ maximum.*//' -e 's/.* //' | \    # Extract the maximum players
    sort | \            # Sort the number of max players
    uniq -c | \         # Count the occurrences for the max player setting
    sort -rn | \        # Sort the resulting breakdown
    head -20            # Get the top 20

The above command takes the Minecraft data, extracts the number of maximum players that the server supports and then sorts/ counts it a bunch of different ways to get the following data:

  42933 20
  20142 4
  11881 10
   7856 6
   5565 8
   3166 5
   1885 30
   1885 100
   1778 50
   1707 15
   1299 12
   1029 2
    908 40
    728 3
    714 16
    646 24
    600 200
    572 25
    453 32
    421 60

This means that 42,000 servers allow a maximum of 20 players, which is by far the most popular setting and also happens to be the default. Second most popular is allow just 4 players to connect, followed by 10 players. Most of the numbers in the top 20 look reasonable, but there are plenty of outliers:

• 8 servers allowed "-1" number of maximum players - I'm guessing they were trying to say "unlimited", but -1 isn't actually a valid value
• 4 people allow up to 1,000,000,000. When the Shodan crawlers connected there weren't any people online, so these aren't the official servers that expect tons of players.
• 52 servers are 1337

In terms of Minecraft versions, the distribution is as follows:

  22824 1.8
  18829 1.7.10
  15512 1.8.3
  14974 1.8.1
  12177 Spigot 1.8
   7046 CraftBukkit 1.7.9
   3764 Spigot 1.7.10
   3661 CraftBukkit 1.8
   2803 CraftBukkit 1.7.2
   1893 cauldron,craftbukkit,mcpc,fml,forge 1.7.10

These are the Top 10 Minecraft Versions on the Internet as of March 2015. The most popular server remains vanilla Minecraft version 1.8, followed by a variety of other vanilla versions. At 5th place we have the Spigot high performance Minecraft server with a bit more than 12,000 deployments.

I used a slightly modified version of the earlier command to get the breakdown:

shodan parse --fields data minecraft.json.gz | \
    sed -e 's/.*Version: //' -e 's/ (.*//' | \
    sort | \
    uniq -c | \
    sort -rn | \
    head -10

Next time you're looking for a new Minecraft server to visit, give Shodan a try to find what you want :)