Visualizing blocked port connections on Ubiquiti EdgeOS Router

I was curious to see what kinds of blocked connection attempts were being made on my home router. I wrote this small notebook script which connects via SSH to the router and downloads all available logs into a local CSV file. Using the networkx library, I created the below graph which is visualized using Gephi. Each node on the network graph represents a source IP address which had a blocked event. The source IP is colored by its dominant port.

To minimize clutter, the port nodes are shaded black so they can’t be seen and the edge opacity is very low. Only the top 10 ports are highlighted.

One interesting observation is that many IPs seem to be dedicated to specific ports. Few seem to try many ports. The biggest exception is port 23 and port 2323. They’re so comingled that the clusters are overlapping. I pulled the port numbers from Wikipedia. The relevant ones are listed below:

• 22 — SSH
• 23 — Telnet
• 81 — IOT Botnet?
• 123 — NTP
• 1433 — MS SQL Server
• 2323 — Another IOT Botnet?
• 3389 — RDP
• 5060 — SIP
• 9000 — Hadoop + Others

To the bottom right of the port 1433 cluster is a group of IPs with lots of interconnected lines. After spotting it on this graph, I ran the data again in a heat map. I pulled a distinct list of IPs and ports, and counted the number of unique IPs which share common ports. For example, how many IPs have hit both ports 23 and 2323? Or how many IPs have hit ports 22 and 2222?

The chart below shows that information. The one caveat is that some combinations like 22/2323 are so high that they wash out the chart. The below heatmap uses the 99.5th percentile as the top most shade. Also, 65,535 ports would be too many to visualize, so I chose the top 100 ports by volume.

So what is going on for ports 3380–3399? I am not sure. There seem to be some results regarding RDP running on various port numbers within that range. I’m guessing that the entire range is being probed.