The scannings will continue until the Internet improves
The news and our networks have been full of articles and packets related to the different UDP amplification attacks that have been ongoing. We and several other researchers have been looking at this problem for a while and while there are not any easy solutions we can at least make network owners more aware of the issues that we can see on their networks from the outside. This has led to some interesting results, most of which are not pleasant.
There are also a a large number of services that should not be exposed because they are usually trivial to exploit or abuse. Some of these might expose data or even allow remote access to systems that should not be open to the public.
This gave the birth to the scanning project. We dropped a pile of gear in a colo, convinced our provider this was for the good of the internet, and started pushing the bounds of the networks as much as we could. Our initial tests were hard and unpleasant, but we tuned, rewrote code, and finally have come up with a methodology that we hope is not too onerous for the end networks.
In some cases there has been a comedy of errors as both we and some of the recipients of our probes have tried to find out why devices would give results when they were never scanned in the first place. Imagine our surprise, for instance, when we sent hundreds of queries across hundred of destination IPs and received hundreds of replies from a completely different IP.
Based off of this report from the US-CERT and the wonderful write-up by Christian Rossow we plan on probing everything listed by both. While we were at it, we added a few other ports/protocols of significant security interest.
There are links below to the scan results from our currently implemented protocols. Those that don’t have links are on our “to-do” list. Expect more interpretation of scan results in future posts.
- BitTorrent (any)
- CharGEN (UDP/19)
- DNS (UDP/53) (Open Resolver Project)
- Kad (UDP/6429)
- MS-SQL (UDP/1434)
- NetBIOS (UDP 137 to 139)
- NTP Mode 6 (UDP/123) (Open NTP Project)
- NTP Mode 7 (UDP/123)
- QOTD (UDP/17)
- Quake Network Protocol (UDP/26000 and UDP/27960)
- SNMPv2 (UDP/161) (Open SNMP Project)
- SSDP (UDP/1900) (Open SSDP Project)
- Steam Protocol (Many – UDP/27015)
- Conficker (TCP/445)
- Gameover Zeus (Takedown by the FBI on 2014-05-30)
Protocols That Should not be Exposed:
- DB2 (UDP/523)
- Elastic Search (TCP/9200)
- HDFS (TCP/50070, TCP/50075, TCP/50090, TCP/50105, TCP/50030, TCP/50060)
- IPMI (UDP/623)
- mDNS (UDP/5353)
- MemCached (TCP/11211)
- MongoDB (TCP/27017, TCP/27018, TCP/27019, TCP/28017)
- NAT-PMP (UDP/5351)
- NetBIOS (TCP/137 to 139)
- Portmapper (UDP/111)
- RDP (TCP/3389 and UDP/3389)
- REDIS (TCP/6379)
- rlogin (TCP/451)
- SSDP (TCP/1900)
- TFTP (UDP/69)
- telnet (TCP/23)
- XDMCP (UDP/177)
Protocols That are Vulnerable:
What can we do?
If you are not getting reports on your network please do so, you can see more details here. If you would like to contribute to help cover the costs of the project just email one of us.
- UPDATED: 2016-05-18 – Added XDMCP
- UPDATED: 2016-05-18 – Added DB2
- UPDATED: 2016-03-09 – Added TFTP
- UPDATED: 2016-02-17 – Added mDNS
- UPDATED: 2015-09-20 – Added Synful Knock
- UPDATED: 2015-09-15 – Added Portmapper
- UPDATED: 2015-06-01 – Added Elastic Search
- UPDATED: 2015-03-09 – Added SSL/FREAK
- UPDATED: 2015-02-13 – Added MongoDB
- UPDATED: 2015-02-08 – Added Open SSDP and Open SNMP project links
- UPDATED: 2015-01-29 – Added MS-SQL
- UPDATED: 2015-01-23 – Added MemCached
- UPDATED: 2015-01-21 – Added REDIS
- UPDATED: 2015-01-07 – Added NAT-PMP
- UPDATED: 2014-11-17 – Added SSLv3
- UPDATED: 2014-08-28 – Added Netcore/Netis
- UPDATED: 2014-07-01 – Added Quake and Steam
- UPDATED: 2014-06-26 – Added IPMI and Gameover Zeus
- UPDATED: 2014-06-12 – Added port numbers