[Intelmq-dev] How do you notify ISPs/network owners about accessible (open) devices?
Thomas Hungenberg
th at cert-bund.de
Fri Mar 24 10:43:34 CET 2017
Hi Aaron,
to German network operators/providers, we are reporting openly accessible
UDP-based services which are commonly abused for DRDoS attacks as well as
openly accessible databases (MongoDB, etc.) on a regular basis.
HOWTOs for affected system owners are provided in German and English language at
<https://reports.cert-bund.de/>
<https://reports.cert-bund.de/en/>
We are currently NOT reporting services like Telnet or VNC for the reasons
you mention.
However, we process the data on other services for our primary constituencies
(agencies on gov/state level, critical infrastructure).
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
On 13.03.2017 13:02, L. Aaron Kaplan wrote:
> Hi everyone,
>
> I have a question. We are processing nearly all the shadowserver feeds now (VNC is still missing)
> and we stumbled across a problem that we can not 100% solve currently: how do you deal with 'accessible and only potentially vulnerable' devices?
>
> Let me elaborate. Usually we sent out notifications on vulnerable devices (ENISA taxonomy: "Vulnerable". Examples: open recursive DNS, open NTP, anything mis-useable for UDP amplification attacks, etc).
>
> However, at some point, accessible and (only potentially vulnerable) devices came into the game. I.e. a device running telnet (or something on the telnet port). Or VNC.
> The VNC server might be protected by a pwd.
>
> So, how to deal with that? An ISP might rightfully say that this telnet port is there intentionally and we should not complain?
>
>
> So, we now have two types that we are talking about:
> 1. Vulnerable and openly accessible ports
> 2. Potentially vulnerable (but not proven) and accessible ports
>
>
> Candidates for the second type would be:
> * VNC
> * telnet
> * RDP
> * (maybe) Redis
> * (maybe) ES
> * (maybe) memcached
> * (maybe) Mongo
>
> What's your stance on this?
> How do you deal with it?
>
> Note that we are sending out * a lot* as a national CERT and we would not like an ISP to be swamped by our mails if it does not have to be the case.
>
> Best,
> a.
>
> --
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
>
>
>
>
>
>
>
> _______________________________________________
> Intelmq-dev mailing list
> Intelmq-dev at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>
More information about the Intelmq-dev
mailing list