[Intelmq-dev] How do you notify ISPs/network owners about accessible (open) devices?

Thomas Hungenberg th at cert-bund.de
Fri Mar 24 10:43:34 CET 2017 

Hi Aaron,

to German network operators/providers, we are reporting openly accessible
UDP-based services which are commonly abused for DRDoS attacks as well as
openly accessible databases (MongoDB, etc.) on a regular basis.

HOWTOs for affected system owners are provided in German and English language at
<https://reports.cert-bund.de/>
<https://reports.cert-bund.de/en/>

We are currently NOT reporting services like Telnet or VNC for the reasons
you mention.

However, we process the data on other services for our primary constituencies
(agencies on gov/state level, critical infrastructure).


     - Thomas

CERT-Bund Incident Response & Malware Analysis Team

On 13.03.2017 13:02, L. Aaron Kaplan wrote:
> Hi everyone,
> 
> I have a question. We are processing nearly all the shadowserver feeds now (VNC is still missing)
> and we stumbled across a problem that we can not 100% solve currently: how do you deal with 'accessible and only potentially vulnerable' devices?
> 
> Let me elaborate. Usually we sent out notifications on vulnerable devices (ENISA taxonomy: "Vulnerable". Examples: open recursive DNS, open NTP, anything mis-useable for UDP amplification attacks, etc).
> 
> However, at some point, accessible and (only potentially vulnerable) devices came into the game. I.e. a device running telnet (or something on the telnet port). Or VNC.
> The VNC server might be protected by a pwd.
> 
> So, how to deal with that? An ISP might rightfully say that this telnet port is there intentionally and we should not complain?
> 
> 
> So, we now have two types that we are talking about:
>   1. Vulnerable and openly accessible ports
>   2. Potentially vulnerable (but not proven) and accessible ports
> 
> 
> Candidates for the second type would be:
>   * VNC
>   * telnet
>   * RDP
>   * (maybe) Redis
>   * (maybe) ES
>   * (maybe) memcached
>   * (maybe) Mongo
> 
> What's your stance on this?
> How do you deal with it?
> 
> Note that we are sending out * a lot* as a national CERT and we would not like an ISP to be swamped by our mails if it does not have to be the case.
> 
> Best,
> a.
> 
> --
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Intelmq-dev mailing list
> Intelmq-dev at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>

More information about the Intelmq-dev mailing list