Hi Aaron,
to German network operators/providers, we are reporting openly accessible UDP-based services which are commonly abused for DRDoS attacks as well as openly accessible databases (MongoDB, etc.) on a regular basis.
HOWTOs for affected system owners are provided in German and English language at https://reports.cert-bund.de/ https://reports.cert-bund.de/en/
We are currently NOT reporting services like Telnet or VNC for the reasons you mention.
However, we process the data on other services for our primary constituencies (agencies on gov/state level, critical infrastructure).
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
On 13.03.2017 13:02, L. Aaron Kaplan wrote:
Hi everyone,
I have a question. We are processing nearly all the shadowserver feeds now (VNC is still missing) and we stumbled across a problem that we can not 100% solve currently: how do you deal with 'accessible and only potentially vulnerable' devices?
Let me elaborate. Usually we sent out notifications on vulnerable devices (ENISA taxonomy: "Vulnerable". Examples: open recursive DNS, open NTP, anything mis-useable for UDP amplification attacks, etc).
However, at some point, accessible and (only potentially vulnerable) devices came into the game. I.e. a device running telnet (or something on the telnet port). Or VNC. The VNC server might be protected by a pwd.
So, how to deal with that? An ISP might rightfully say that this telnet port is there intentionally and we should not complain?
So, we now have two types that we are talking about:
- Vulnerable and openly accessible ports
- Potentially vulnerable (but not proven) and accessible ports
Candidates for the second type would be:
- VNC
- telnet
- RDP
- (maybe) Redis
- (maybe) ES
- (maybe) memcached
- (maybe) Mongo
What's your stance on this? How do you deal with it?
Note that we are sending out * a lot* as a national CERT and we would not like an ISP to be swamped by our mails if it does not have to be the case.
Best, a.
-- // L. Aaron Kaplan kaplan@cert.at - T: +43 1 5056416 78 // CERT Austria - http://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg
Intelmq-dev mailing list Intelmq-dev@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev