CSIRT-IE Reports on Internet Accessible Servers & Services exploited for DDoS Attacks
Objective
CSIRT-IE primary focus, in regard to the following reports, is to identify internet accessible servers & services within the jurisdiction which may be exploited for a Distributed Denial-of-Service (DDoS) attack against a third party. CSIRT-IE seek to inform responsible network operators and constituents, based upon the IP address of the affected server or service, by email and to provide advice and recommendations on how to reduce the threat posed by these internet accessible servers & services.
Internet accessible servers & services may also be used by a malicious actor for the purpose of performing a reconnaissance, the process of identifying vulnerabilities and weak spots in an organisations network and to map its attack surface, prior to an attack.
Source of Information
1. The Shadowserver Foundation.
The Shadowserver Foundation is a Non-Governmental Organisation and one of the world's leading resources for internet security reporting and malicious activity investigation. The Shadowserver Foundation works with national governments, network providers, enterprises, financial and academic institutions, law enforcement agencies, and others, to reveal security vulnerabilities, expose malicious activity and help remediate victims. The Shadowserver Foundation performs a scan of the entire IPv4 internet every day for Internet accessible servers and services and reports the security vulnerabilities found. In 2022, the Shadowserver Foundation began to systematically rolling out IPv6 scanning of services. Information on the Shadowserver Foundation Reports and the data contain therein can be found at:- Shadowserver Foundation Reports
Event Severity Levels
On the 12th Oct 2023, the Shadowserver Foundation introduced a new system of categorising events in their reports called Event Severity Levels, making it possible for recipients of their reports to filter events based upon the severity of the actual event reported. The Shadowserver Foundation have also commenced applying a default severity level to their reports.
| No. | Level | Description |
|---|---|---|
| 1. | Critical. | Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-authorisation Remote Code Execution (RCE) or modification or leakage of sensitive data. |
| 2. | High. | End of life systems, systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked. Sinkhole events end up in this category. |
| 3. | Medium. | Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (Man-in-the-Middle (MITM) attack without being able to manipulate the traffic) to exploit, an attacker will need to know internal systems/infrastructure in order to exploit it. |
| 4. | Low. | Deviation from best practice - little to no practical way to exploit, but setup is not ideal. Vulnerabilities requiring MITM (including manipulating the traffic) to exploit. |
| 5. | Info. | Informational only. Typically no concerns. However, this category includes the Device Identification report, which may include information on device types that should not be accessible on the public Internet, in which case the individual events in the report may be assigned higher severity levels. Review in accordance with the organisation security policy. |
2. ENISA - European Network and Information Security Agency
ENISA - European Network and Information Security Agency, commonly referred to as the European Union Agency for Cypersecurity, publish a number of reports each year, which are included in the publication section of their website, of particular interest is the:- ENISA Threat Landscape (ETL) Annual Report:- Contained in this report is a status of the cybersecurity threat landscape that identifies prime threats, major trends observed with respect to threats, threat actors and attack techniques, and also describes relevant mitigation measures.
DDoS Reports
- Internet Accessible CHARGEN Service
- DNS Open-Resolver Server
- Internet Accessible LDAP (UDP) Service
- Internet Accessible mDNS Service
- Internet Accessible Memcached Server
- Internet Accessible MS-RDPEUDP Service
- Internet Accessible MS-SQL Resolution Service
- Internet Accessible NetBIOS Service
- Internet Accessible NTP Monitor Service
- Internet Accessible NTP Version Service
- Internet Accessible Portmapper Service
- Internet Accessible QOTD Service
- Internet Accessible SNMP Server
- Internet Accessible SSDP Service
- Internet Accessible Ubiquiti Device Discovery Service
- Loop-DoS Report