Edit: The original data for RDP in March, 2020 included IPv6 results whereas the historical analysis only looked at IPv4. I've changed the numbers to reflect the new counts. Tl;dr: we're still seeing growth but significantly less than before.

More companies are going remote due to COVID-19 and as a result there's been a lot of speculation around how this impacts the exposure of companies and the Internet as a whole (in terms of publicly-accessible services). I was actually already working on creating trends for various services due to a presentation I gave late last year so let me share with you some updated charts on how the Internet has evolved over the past few years (up to March 29, 2020).

Methodology

Just quickly I'll mention a bit about how the data itself is generated:

1. Shodan infrastructure is globally distributed to prevent being geographically biased
2. Crawlers run 24/7 and don't do sweeps of IP ranges the same way a network scanner would
3. Crawlers attempt full protocol-specific handshakes to validate that a port is responding. Depending on the protocol Shodan also performs additional steps to validate the response. For example, in the case of RDP the crawlers grab a screenshot, perform OCR on that screenshot and do a variety of basic security checks.

Timeframe

Shodan keeps a full history of every IP in the Internet that it's ever seen. We store that archive in a variety of formats and for this purpose I reprocessed our data going back to the beginning of 2017. You can also access that historical data via the API, CLI, or the new beta website.

Aggregation

I binned the results by unique IPs per month for each port/ tag. This means that data is not based on point-in-time scans but rather an aggregate view of the active IPs during a month.

Remote Desktop

The Remote Desktop Protocol (RDP) is a common way for Windows users to remotely manage their workstation or server. However, it has a history of security issues and generally shouldn't be publicly accessible without any other protections (ex. firewall whitelist, 2FA).

The number of devices exposing RDP to the Internet has grown over the past month which makes sense given how many organizations are moving to remote work.

It's surprising how the number of RDP instances actually went up after the initial Microsoft bulletin on Bluekeep in May 2019. And then it dropped sharply in August once a series of issues were revealed (DejaBlue) that impacted newer versions of RDP.

A common tactic we've seen in the past by IT departments is to put an insecure service on a non-standard port (aka security by obscurity). To that point, this is how the exposure for RDP looks like on an alternate port (3388) that we've seen organizations use:

It follows very similar growth as seen for the standard port (3389). The last thing I wanted to point out is that 8% of the results remain vulnerable to BlueKeep (CVE-2019-0708).

VPNs

The above chart encompasses a few different VPN protocols and ports (IKE, PPTP etc.). VPNs are a secure way to allow remote workers access to your network and it's not surprising to see that number grow as well the past month.

Industrial Control Systems

We've observed significant growth in other protocols (HTTPS) but one of the important areas where we've seen a worrying increase in exposure is for industrial control systems (ICS). The growth is not as large as for other protocols but these are ICS protocols that don't have any authentication or security measures. We had actually seen a stagnation in the ICS exposure up until now. And there have been significant advancements in OT security so there are plenty of secure options to choose from.

We're also keeping our country-wide exposure dashboards up-to-date if you'd like to see breakdowns by country.

Conclusion

I hope the above data provides a more data-driven view of how the exposure of those ports has changed the past few years. There aren't any earth-shattering surprises in the data but it's good to validate what many already assumed. If you're an organization that is concerned with your Internet exposure and wants to keep track of what you have connected to the Internet then please check out our Shodan Monitor service.

Do you want to keep an eye on the latest results coming into Shodan? Want to create your own custom data feeds? Or want to grab a few thousand random web servers for your research? Using the Streaming API from Shodan you can directly subscribe to the raw data feed from the crawlers! The feed streams between 400-500 banners every second and depending on your API plan you have access to all or a fraction of it. And to get started with the stream you don't need any programming knowledge, just install the Shodan command-line tool and you're good to go. I've created a video that highlights some of the basic usage using the shodan command. Note that unless you use --limit or hit CTRL + C the stream will continue going forever:

shodan stream

At the heart is the stream command that when run by itself will simply stream all data you have access to and print it to your terminal. It won't store the data anywhere or perform any operations on it. Use this command if you'd like to explore random IPs on the Internet.

--ports

Often you're only interested in a certain type of service, and for those instances you can narrow down the stream using the --ports option. You can provide one port:

shodan stream --ports 23

Or many ports:

shodan stream --ports 23,1023

And without any other arguments it will once again just print the results to the terminal.

--datadir

Most of the time you also want to store the results so you're not throwing away information. To do so, simply create a directory and supply the --datadir option to the streaming command. This will result in the shodan tool storing the results from the stream in a file in the data folder, where the file name is the current date in YYYY-MM-DD.json.gz format:

mkdir shodan-data
shodan stream --datadir shodan-data

This is useful so you can keep the streaming command running and every day a new file will automatically be created for you. And then you can use the shodan parse command to extract the information you care about.

--limit

Sometimes you want to get a random sample of results. Lets say you'd like to see how many of the most recent 10,000 results are Nginx vs Apache vs Lighttpd etc. You can take periodic samplings to see how those trends change over time using your own computer. To get 10,000 web server results use the --limit option to make the stream command exit after it has received the provided number of results:

shodan stream --limit 10000 --ports 80

The above command would filter the stream for web servers running on port 80 (--port 80) and it would exit after 10,000 results were received (--limit).

I use the real-time stream for a lot of my own research and I hope you'll find it useful as well! If you have any thoughts, questions or suggestions please let me know @achillean