[Intelmq-dev] How do you notify ISPs/network owners about accessible (open) devices?

Pavel Kácha ph at cesnet.cz
Mon Mar 13 13:57:55 CET 2017 

Hello Aaron,

> From: "L. Aaron Kaplan" <kaplan at cert.at>, Date: Mar 13, 2017
>
> I have a question. We are processing nearly all the shadowserver feeds now (VNC is still missing)
> and we stumbled across a problem that we can not 100% solve currently: how do you deal with 'accessible and only potentially vulnerable' devices?
> 
> Let me elaborate. Usually we sent out notifications on vulnerable devices (ENISA taxonomy: "Vulnerable". Examples: open recursive DNS, open NTP, anything mis-useable for UDP amplification attacks, etc).
> 
> However, at some point, accessible and (only potentially vulnerable) devices came into the game. I.e. a device running telnet (or something on the telnet port). Or VNC.
> The VNC server might be protected by a pwd.
> 
> So, how to deal with that? An ISP might rightfully say that this telnet port is there intentionally and we should not complain?
> 
> 
> So, we now have two types that we are talking about:
>   1. Vulnerable and openly accessible ports
>   2. Potentially vulnerable (but not proven) and accessible ports
> 
> 
> Candidates for the second type would be:
>   * VNC
>   * telnet
>   * RDP
>   * (maybe) Redis
>   * (maybe) ES
>   * (maybe) memcached
>   * (maybe) Mongo
> 
> What's your stance on this?
> How do you deal with it?

   we are using eCSIRT.net taxonomy (actually mkII from Don Stikvoort), and
we have stumbled into this.  eCSIRT.net is two level, so we have decided to
add another "distinctive" level - Vulnerable.Config and Vulnerable.Open,
where the former is "just" open (your case, I believe), and the latter is
the confirmed vulnerability.  (See [1].)
   Regarding the "uncertainty" problem - in my opinion that is another type
of information, orthogonal to classification, as any info can be uncertain
or in some way unverified.  In Idea we have the "Confidence" key, which may
be the indicator that the event is not completely reliable.

> Note that we are sending out * a lot* as a national CERT and we would not like an ISP to be swamped by our mails if it does not have to be the case.

   I feel your pain. :) Been there (heck, mostly we still are).  We (at
Czech NREN level) have ended with marking the varieties of events we are
sending out with "severity" (low, med, high, crit), and deciding how often
to send reports based on that.  (End admins are also able to mark some
services as "legitimate" to filter out false positives, but that might not
be good approach at national level, where you usually want to take careful
stance).

Cheers
-- Pavel Kácha, CESNET

[1] https://idea.cesnet.cz/en/classifications
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20170313/2552e1f8/attachment.sig>

More information about the Intelmq-dev mailing list