Today, I’m happy to announce that Rapid7 has released our third annual National Exposure Index (NEI), a state of the internet report focusing on where in the world the most exposure is presented on the internet. I’m pretty pleased with how this year’s NEI turned out, primarily thanks to some overhauling we’ve done on the scoring algorithm that ranks countries. In fact, let’s get into that now.
What the National Exposure Index Measures
With a few exceptions, NEI is largely a port scan of the whole internet, and by marrying this data with geolocation data, we can measure both overall exposure and exposure at a national level. Of course, “exposure” can be a tricky concept to try to quantify, just like “security” or “trust.” Basically, we measure three areas of exposure: exposure to likely attack, exposure to pervasive monitoring, and exposure to amplification abuse.
Attack exposure is captured by quantifying those TCP/IP services that are offered on the internet, but oughtn’t be. These are services that you might normally expect to see, at worst, on a lightly controlled LAN segment, like Windows SMB, Remote Desktop Protocol, or HP JetDirect. New this year, we also look for seven common database ports: MySQL, PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, IBM DB2, and Mongo. Detecting these protocols on an external pentest would be a headline finding for that engagement. These are services that are sometimes okay for a trusted internal user to use, but are never okay for random strangers on the internet to even attempt to use. Databases and SMB, in particular, are especially dangerous.
Pervasive monitoring exposure is closely related to the presence of cleartext protocols, like the unencrypted, legacy protocols such as telnet, FTP, IMAPv4, and the like. SIP on UDP port 5060 also lands in this bucket, since we found that it’s quite common to find this cleartext protocol heavily exposed in some countries, but not others. While not as immediately dangerous as the abusable protocols discussed above, these are nevertheless attractive protocols to man-in-the-middle (MitM) attacks or to even merely watch passively, since without modern encryption, there is no way to assert that any communications over these protocols are private or secure from alteration.
This year we introduce a third exposure metric to the National Exposure Index: amplification exposure. On the heels of the memcached amplified DDoS, we added a set of UDP protocols to scan for, many of which could be abused as intermediary DDoS tools. These protocols include memcached (of course), SSDP, and chargen, among others.
Other Ranking Changes
In addition to adding a slew more protocols (both TCP and UDP), we’ve also overhauled how the ranking algorithm works. It’s more completely described in the paper, but essentially, we have a more sensible model that allows us to filter out weirdly behaving nodes that are almost certainly not normal endpoints.
Prior versions of the NEI ranking algorithm only cared about the percentage of exposed services versus the total IPv4 space of a given country. In 2016, we looked at the ratio of exposed services in relation to a country’s total IPv4 allocation, and in 2017, the ratio counted the total observed IPv4 utilization. In either case, this meant that countries with smaller absolute populations of exposed servers out of a smaller IPv4 possible space would score much higher than countries with millions of exposed servers and huge IPv4 allocations. While this approach makes sense for some kinds of analysis—namely, to determine how exposed a given country is in isolation—it wasn’t a great way to compare countries with wildly diverse IPv4 address spaces.
Today (and going forward) we calculate ranking by including not only a percentage of exposed services, but also consider the total, absolute numbers of exposed services. This means that even if a country that has only a thousand computers, and 100% of them are exposing old versions of SMB, that country won’t score as high in the exposure rankings as a country with a million computers where only 10% are exposing SMB. After all, this larger country has a hundred thousand exposed services. When you compare that against a mere thousand identically exposed computers, it’s likely that the country with a million total IPv4 servers has a lot more riding on the overall security and stability of the internet; more people and more dollars are at stake, and thus, the exposure matters more.
While the primary goal of this report is to explore and report on internet exposure, we frame these findings in terms of the nations most affected by exposure. We do this for a couple reasons; one, once we know where the most egregious pockets of exposure are, we can actually start talking to the technical and political leadership in those countries and help mitigate against these exposures.
Get the Report
Interested? If so, head on over to www.rapid7.com/national-exposure and score a copy of the report. It’s free, and offers buckets and buckets of analysis on these concepts of internet exposure. We also have an interactive global map that you can play around with to get a sense of national exposure in regions of the world that are important to you. As always, we’re also releasing the data that went into this report in order to enable other researchers to take a new and fresh look at the data. We’re always interested in collaborating on this, so drop us a line at email@example.com if you find anything in there that we didn’t cover directly in the report text.