[Intelmq-dev] How do you notify ISPs/network owners about accessible (open) devices?

L. Aaron Kaplan kaplan at cert.at
Mon Mar 13 13:02:47 CET 2017


Hi everyone,

I have a question. We are processing nearly all the shadowserver feeds now (VNC is still missing)
and we stumbled across a problem that we can not 100% solve currently: how do you deal with 'accessible and only potentially vulnerable' devices?

Let me elaborate. Usually we sent out notifications on vulnerable devices (ENISA taxonomy: "Vulnerable". Examples: open recursive DNS, open NTP, anything mis-useable for UDP amplification attacks, etc).

However, at some point, accessible and (only potentially vulnerable) devices came into the game. I.e. a device running telnet (or something on the telnet port). Or VNC.
The VNC server might be protected by a pwd.

So, how to deal with that? An ISP might rightfully say that this telnet port is there intentionally and we should not complain?


So, we now have two types that we are talking about:
  1. Vulnerable and openly accessible ports
  2. Potentially vulnerable (but not proven) and accessible ports


Candidates for the second type would be:
  * VNC
  * telnet
  * RDP
  * (maybe) Redis
  * (maybe) ES
  * (maybe) memcached
  * (maybe) Mongo

What's your stance on this?
How do you deal with it?

Note that we are sending out * a lot* as a national CERT and we would not like an ISP to be swamped by our mails if it does not have to be the case.

Best,
a.

--
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20170313/21c7501b/attachment.sig>


More information about the Intelmq-dev mailing list