Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


port monitoring of internet enterprise security

Posted by ulberg at 2020-04-07

Click the blue words above to subscribe


The external network port monitoring system is a very important part of the whole security system. Like eyes, it constantly monitors the opening of the external network port, and timely reminds the security and operation and maintenance personnel to deal with the high-risk port when it is found.

For security personnel, in the process of rapid development and growth of Internet companies, the management and control of the Internet boundary is prone to the phenomenon of inadequate care. At first, the external network port monitoring system we developed with Python + nmap was unable to meet the requirements in the process of expanding the company's boundary, so there was an intrusion event caused by the operation and maintenance personnel's misoperation exposing the high-risk port to the external network. In order to avoid the similar intrusion problem caused by the opening of high-risk port without knowing it again, we began to redo the external network port monitoring Control system.


To understand the meaning of port monitoring, first of all, you need to know what port scanning is. According to the definition of Wikipedia:

The definition of port scan is that the client sends corresponding requests to a certain range of server ports to confirm the available ports. Although it is not malicious network activity in itself, it is also an important means for network attackers to detect the target host service to exploit the known vulnerabilities of the service.

For attackers, port scanning is often the first step to attack from the Internet. For enterprise security personnel, port monitoring is an important defense line to prevent attackers from directly invading from the outside. It can help us:

From the perspective of attackers, we can understand the opening of the enterprise's external network port to see if there are any points that are easy to be used and lead to intrusion

Find and fix the vulnerability before the attacker finds the new open high-risk port of the external network, so as to reduce the probability of the system being directly invaded from the outside


There are no more than two ways to monitor the open ports of the enterprise's extranet. One is the scanning of the Internet ports similar to the black box audit, and the other is the flow analysis similar to the white box audit. In principle, the way of traffic analysis is certainly the most accurate, but it has certain requirements for hardware and software, and general companies are not necessarily able to do well; the way of external network port scanning is relatively direct, although there are some environmental dependencies, such as network bandwidth, but generally speaking, it is much smaller than the requirements of traffic analysis, and most companies can meet them. Here we mainly introduce the method of external network port scanning, another method of traffic analysis. Please share it with you later.

Method 1: external network port scanning

Here we will briefly introduce the principle of port scanning to help you have a basic understanding of this unknown student.

port status

The following describes the division of port state with the most famous port scanner nmap:

But in general, we don't need to be so detailed. For convenience, we roughly divide a port into three states: open, restricted open, and closed. "Restricted open" refers to access control. Only the specified hosts in the white list can access it, and other hosts cannot access it. It can be simply considered as the filtered state above.

Scanning mode

TCP syn scan

Why we choose TCP syn scanning:

It can scan thousands of ports per second in a fast network without firewall;

It's relatively hidden and hard to notice because it never completes a TCP connection;

Compatibility is good, unlike fin / null / Xmas / Maimon and idle scanning, which rely on a specific platform and can handle any compatible TCP protocol stack;

Clearly and reliably distinguish open, closed and filtered states.

Scanning principle

For students who have studied computer network, the 3-time handshake process of TCP / IP connection should not be a stranger. The general process is as follows:

The TCP syn scan we use here is to send a syn message to the designated port (no message will be returned and TCP connection will not be completed after that), and then make a judgment based on the return information of the port. The judgment conclusions are divided into the following three types:

The legend is as follows:

Method 2: flow analysis

Source before, no secret.

It is estimated that the technical students will not be unfamiliar with this sentence of Mr. Hou Jie. Here I want to change this sentence to adapt to our situation here:

Before the flow, there is no secret.

Through traffic analysis, we can know which ports are open to the outside world in time, and then obtain the protocols and services it uses through unpacking analysis. For those that cannot be accurately judged, we can use the way of external network scanning for supplementary judgment.

Evolution process


In the early days, we used Python to call nmap for scanning, but with the continuous expansion of the company's scale and the continuous increase of network segments, the disadvantages of nmap scanning gradually emerged and could not be made up - the full port scanning cycle of large network segments was too long to produce results in time (one scanning cycle may be as long as 2 weeks), and the purpose of external network port monitoring could not be achieved at all. Until then there was masscan.


The general structure is as follows:

In terms of scanning speed, it should be the fastest of the existing port scanners, and at the same time, its accuracy is relatively high. Before we decide to use masscan, we have done a comparative test with zmap and nmap. Due to the limited space, the specific test process will not be sent out. Here we just say the test conclusion: using TCP syn scanning mode to scan a small IP segment through full port, masscan has the fastest speed and high accuracy, which can meet the needs.

Experience sharing

The bandwidth of scan server is the key;

Scanning is best to avoid business peak;

Scanning options need to be optimized according to specific bandwidth, machine configuration, scanning range and scanning speed requirements;

As long as it is a remote detection method, there is certain uncertainty, the accuracy of detection results can only be close to 100%, can not reach 100%, so do not rely on the results of external network scanning completely;

In fact, the number of open ports of a single IP is limited. If you find that a single IP has a large number of open ports in the scan results, you should pay attention to whether the corresponding devices of the IP are cheating you;

In the early stage, the scanning results should be combed completely. In the later stage, only the new high-risk ports need to be processed.


After the launch of the version of masscan, the speed of full port scanning has been greatly improved, and the open situation of the external network port has also been clearly understood. However, the acquisition of banner and the identification of specific services have not met the requirements, which is not the strength of masscan, so we need to use the rich service fingerprint database of nmap to improve the accuracy of our monitoring data Sex.

Compared with the previous one, after the full scan phase of masscan, a phase of incremental scan with nmap is added only for ports judged as open, and then the results are updated to the database for easy display and analysis. The general structure is as follows:

Masscan+Nmap & DPDK+Storm+Nmap

The scan of the Internet has its advantages - to obtain the current security status of the Internet from the perspective of the attacker, but it will take a long time, especially in the case of large network segment and limited bandwidth, because the full port scan of masscan is faster. Therefore, there is a natural vacuum period for a single periodic external network scan. If the internal staff forget to close the test port because of carelessness, they may be used by the attacker. In order to deal with this situation (even if the availability is relatively small), we decided to analyze the real-time traffic and find out the open data in real time The new / abnormal port is then invoked to scan the Nmap to solve the vacuum period of the external network scan. The general structure is as follows:

Experience sharing

It is imperative to organize IP and equipment asset information in an all-round way with related brother teams, and to systematize asset change (avoid manual operation);

The scanning range is best (certain) pulled through API to avoid missed scanning due to asset change;

In this case, the timeliness of security monitoring information is higher than the accuracy, but the accuracy is also very important (so we need to narrow down the scope with mascan first, and then get the details with nmap);

If you find a typical high-risk case, you should remember to copy it to the bosses of both sides, and see if it can be upgraded to a higher level if possible, because the establishment of the system or policy will be better promoted from high to low.

Extension and extension

In addition to monitoring the new high-risk ports open to the Internet, the port monitoring system can also consider expanding its functions and effects from the following aspects to maximize the utility:

1. System vulnerability scanner linkage

For insecure students, it's hard for them to understand how much harm an open port on the Internet can cause, so it often happens that when security personnel find them, they don't think it's a security problem, so it's a bit troublesome to communicate.

Although the problems will be solved eventually, if there is an intuitive demonstration to them, they will be more willing to cooperate with us to fix and avoid such problems. So the linkage with the system vulnerability scanner is helpful to promote the problem handling and vulnerability repair.

Precautions: avoid high-risk scanning operation; it needs to be triggered actively after manual confirmation.

2. Web vulnerability scanner linkage

Generally, we will think that the new web port is acceptable externally, but this is based on the premise that the corresponding web system has passed the complete internal security test. When the web system of ZABBIX is similar to that of ZABBIX for convenience, and the password is weak, the situation is not so optimistic. At this time, we can automatically scan the exposed web system by calling the web vulnerability scanner, and report the results in time, so as to reduce the harm caused by such problems.

3. Internal vulnerability management system linkage

The benefits are:

Automatic input, automatic follow-up by vulnerability management system process, efficiency improvement;

The results are displayed in the vulnerability management system with uniform style.


UDP high risk port monitoring

The above describes the TCP port monitoring of the regular server, intended to remind you of the security of the server; but there is also a kind of UDP port security problem which is not described above and easy to be ignored -- the security of the firewall, switch and other network equipment. In August 2016, the shadow brokers released an adaptive security for Cisco Appliance (ASA, which actually covers firewall and router devices, pix is also listed) product's vulnerability exploitation tool extrabacon. Although there are certain restrictions on vulnerability exploitation, once the vulnerability exploitation is successful, the attacker can establish SSH or telnet connection without entering identity credentials. It is not necessary to enter a valid user name or password to break into ASA.

In view of these problems, the following suggestions are made:

Quickly monitor the status of some high-risk UDP ports;

Close services / external visits if not necessary;

If necessary, upgrade as early as possible and restrict access to IP sources.


This paper mainly introduces the development and evolution of the external network port monitoring system of meituan review security team, and summarizes some practical experience and prospects. You are welcome to criticize and correct. I hope you can put forward some good suggestions to help us improve. We will continue to optimize and discuss with you in the future. Thank you very much for your patience to see the readers here!

Author brief introduction

Guangzong, who joined the security team of meituan reviews in 2015, has successively engaged in the work of production network host and software security protection, and is currently mainly responsible for the development of the internal security audit system of meituan reviews.

Finally, a small advertisement is put forward. The Security Department of meituan reviews group is recruiting Web & binary attack and defense, background & system development, machine learning & Algorithm and other small partners. What we want to do is to build a set of network layer, virtualization layer, server software layer (kernel / user state), language execution virtual machine layer (JVM / Zend / JavaScript) based on massive IDC environment V8), web application layer, data access layer (DAL) based on big data + machine learning fully automatic security event awareness system, corresponding to the server of meituan's comments on the whole business in scale, the technology stack covers almost most of the Internet applications in the cloud environment, and the data scale will also be a great challenge. In addition, we also pay attention to the practice of such companies as Google, Facebook and Amazon in enterprise security construction, and strive to build a built-in security architecture and defense in depth system similar to Google, which should be a good opportunity for students pursuing in the field of security and engineering technology. If you want to join us, please send your resume to zhaoyan17 ා

For details, please click: meituan reviews group security department to recruit security talents.


US group review

Technical team

Long press QR code to follow us

More technology Blogs: meituan reviews technology blogs.

PS: the green terms in the text are all reference links, and you can click to query.

To view the code in the text, click "read the original".