Internet Host Behavior Statistics by Port

By Doctor Electron

Internet hosts may be characterized to establish baseline behavior. Responses to ICMP echo requests (pings) and to TCP connection requests to eleven host ports [RFC 1700] commonly used by internet servers are presented in Table 1.

Table 1: Internet Host Response Rates by Port

Legend: Each row represents a different random sample of internet hosts. TCP, established TCP connections (excluding the ICMP sample). CR, connection refused responses [2]. DNS, percent of TCP connections with DNS name obtained by reverse DNS lookup. Read, percent of TCP connections sending data after the lab sent appropriate prompts, where necessary. se, standard error of the percents (TCP, CR, DNS, Read). For the TCP port rows, color coding within columns indicates ports or groups of ports showing statistically significant differences according to two-sample t tests. The lab recently started to log these data, so sample sizes are rather small: TCP (and ICMP), n = 4,053,557; CR, n = 1,271,760; DNS and Read, n = 2,349,914.

Each row of the Table represents a separate sample of hosts selected by randomly generating IP addresses ranging from 1.0.0.1 to 219.255.255.254, excluding local host (127.x.y.z), as described in detail previously [1, 2].

Results

The ICMP echo reply response rate of 1.07% may provide a reference level. For clarity this means about one percent of randomly selected IP addresses reply to a ping request. Likewise, about the same response rate was seen in the TCP connection refused replies from hosts [2], shown with white background color indicating no significant differences among the samples (rows).

The values for established TCP connections allow an estimation of the total number of addresses offering the respective services (percent x 0.01 x number of addresses in sampled range). Connections were most likely with ports 21, 22 and 23 and least likely with ports 110, 8080, 53 and 1080. Intermediate response rates were seen for services offered on ports 80, 443, 22 and 113.

The final two responses tabulated in Table 1 are expressed as percents of connected hosts for which a DNS name could be obtained (DNS) and which sent data to the lab client computer (Read). For each row, these pairs of values are based on the same sample of established TCP connections.

Four groups of ports were defined by statistical differences in percents of found host names by reverse DNS lookup. (1) Hosts offering web pages (80), incoming mail (110) and DNS (53) were most likely to have DNS entries. (2) The next most likely to have DNS entries were servers using ports 25 (sending mail), 443 (secure https), and 22 (ssh). (3) Fewer DNS names were obtained for ports 21 (ftp) and 23 (telnet). (4) The least likely hosts to have DNS name entries were those offering services on ports 113 (ident), 8080 (http proxy) and 1080 (sock proxy).

Seven groups of ports were distinguishable by the percents of hosts sending text data to the lab client program. Most responsive were 25 (sending mail), 113 (ident) and 80 (http web page servers). Data was read from about one half of servers accepting connections on ports 110 (incoming mail), 21 (ftp) and 23 (telnet). Least talkative were servers on ports 8080 (http proxy), 22 (ssh) and 443 (https). Indeed, only one in eight (12.6%) of secure web page servers (port 443) were willing to respond to a request for default page header information.

Discussion

The similarity in response rates to ICMP echo requests (1.07%) and the TCP connection refused (CR) replies suggests that each measure may provide a general estimate of the number of online computers in the IP address space studied. Sub-spaces clearly may exhibit lack of these responses depending on network configurations.

More than double the percents shown for TCP and CR responses are obtained if the address space is "filtered" to exclude unused or sparsely populated sub-spaces [1] as implemented by the author's RandScan program.

Some networks are configured to issue TCP connection refused errors (CR) to the internet only in response to connection requests to selected ports [2]. Regarding the wide range of address space used in this report, one might ask if the CR percent depends on port number. Alas, an answer to this question awaits further data collection. The large standard error (se) values for the CR percents in Table 1 represent relatively small sample sizes.

Table 1 shows that most hosts accepting connections do not appear to have DNS entries for their host names. Also, for about half of the ports surveyed, most of the remote hosts remained mute (Read less than 50%). Further analysis is required to account for these facts. Many of these cases may be ISP subscribers running listening programs to see who might connect with selected ports. On the other hand, a quite large number of these cases of mute listening hosts are part of networks of major organizations [paper in preparation].

This practice may be a security issue since whether a connection is established or refused, the operator of the client program obtains the IP address of a network computer which can be used to map the network of the organization, to say the least. Whatever information about the client that the host obtains (a client at an IP address did or tried to connect) may not be worth the risk of the information that such servers freely hand out to the public about themselves. In fact, this should not be viewed as a trade-off situation. The host computer can capture the IP address and desired connection port of client programs without giving out any information, either by accepting the connection and remaining mute or by replying with a connection refused message. These "null servers," or whatever one wants to call them, should be disabled to improve the privacy of the organization and its network resources.

References

[1] Doctor Electron, "Computers Connected to IPv4 Address Space", June, 2002.
[2] Doctor Electron, "A TCP Ping Reveals Hosts by Connection Refused Error", August, 2002.
[RFC 1700] Reynolds, J. K., and J. Postel, "ASSIGNED NUMBERS", October, 1994.

Copyright © 2002 Global Services
Original publication: August 18, 2002

Back to Net Census