F5 Labs, in collaboration with Effluxio, researches global attack traffic to gain a better understanding of the cyberthreat landscape. Cyberattacks take many forms, but they often start with the hunt for exploitable services. This report analyzes scans of global low-interaction honeypots traps across three quarters of 2021, specifically comparing activity from the first two quarters, January through June, against the third quarter, July through September.
The connection attempts coming from these scans do not necessarily indicate malicious intent from a source country or organization. As this analysis shows, advanced attackers often make use of compromised infrastructure as proxy botnets. The country of origin of a vulnerability scan does not mean the hands on the keyboard are in that same country.
Highlights
- The top three scanned service ports in the first three quarters 2021 were all for remote logins, calling for hardening these services with patching and strong authentication.
- Malaysia saw a disproportionate amount of scanning traffic from an ASN assigned to Alibaba in China on MySQL port 3306 during Q3 2021.
- Lithuania was one of the top source countries for scans around the world during this period, but this is more likely Russian cyber-attackers hijacking Lithuanian infrastructure.
Top Scanned Ports
Since the Internet began, threat actors have scanned a wide range of IP ports to find potential targets. Each specific port represents certain potential services that can then be probed for vulnerabilities and exploited.
Top Targeted Services and Ports, Now and Then
Although threat actors probe many ports, so far in 2021 the top three scanned ports have remained the same. Those ports—5900 (VNC), 22 (SSH), and 3389 (RDP)—are all used for remote logins. However, all three declined slightly, with corresponding increases in scanning of ports 3306 (MySQL), 21 (FTP), and 9200 (Elasticsearch API). Figure 1 breaks down the specific proportions of the scanning traffic per port for the beginning and the latter half of 2021.

Remote Access Scanning
The top three global ports are used for remote administration and logins, meaning that a single successful authentication gives an attacker a direct login to an organization’s infrastructure. How commonly exposed are these ports? A search on Shodan shows nearly 5 million listening ports on 3389, over a million ports on 5900, and a whopping 21 million ports on 22.1
Given the prevalence of credential stuffing and phishing attacks, organizations opening these ports to the Internet should ensure they are patched and use strong authentication. System administrators, with their associated elevated privileges, should have even tougher controls in place for remote administration.
Port 9200 Scans in Third Quarter 2021
Taking a deeper dive into the increasing scans of port 9200, Elasticsearch listens on port 9200 and was in the top six globally for Q3 (3.6% of all scanning traffic). However, it was also in the top three for the United States in that same period, as shown in Figure 2. Why Elasticsearch? For one, it's been an unfortunate source of many large data breaches, as noted in the 2019 and 2021 Application Protection Reports. Based on this, F5 strongly recommends hardening all Internet-exposed APIs, especially heavily targeted APIs like Elasticsearch.
Top Targets, Now and Then
The proportion of the four or so billion IP addresses on the Internet vary from country to country, based on usage and assignment. The exact breakdown of those assignments is easily referenced on Wikipedia (see Figure 3).2
All things being equal, the attacked countries seen in the Effluxio honeypot data should align somewhat with these same regional proportions. However, looking at the data, as shown in Figure 4, we can see this is not the case.