5 Protocols That Should Be Closely WatchedAttackers frequently scan for open SSH, FTP, and RDP ports, but companies need to watch out for attacks against less common protocols as well
For decades, opportunistic attackers have scanned the Internet for open ports through which they can compromise vulnerable applications.
Such scanning has only gotten easier: The Shodan search engine regularly scans the Internet and stores the results for anyone to search; researchers from the University of Michigan have refined techniques to allow for fast, comprehensive scans of a single port across the Internet; and programs, such as NMap, allow anyone to scan for open, and potentially vulnerable, ports.
While the most commonly attacked ports are those used by Secure Shell (SSH), the file transfer protocol (FTP), the remote desktop protocol (RDP), and Web servers (HTTP), companies need to monitor network activity aimed at less common protocols and ports, say security experts. Attackers will likely increasingly look for vulnerabilities in less common ports, says HD Moore, chief research officer for vulnerability-management firm Rapid7, which has made a name for itself scanning the Internet for just those ports.
"This stuff is not in the top bucket, in terms of priority, but it tends to bite people because they are not keeping an eye on it," he says.
Companies should not just monitor for malicious activity using these protocols, but proactively take an inventory of the applications inside their own networks and connected to the Internet that expose firms to potential opportunistic attacks, says Johannes Ullrich, dean of research for the SANS Technology Institute. The SANS Institute's DShield project collects data from contributors to analyze the ports in which attackers are most interested.
"Companies need not just detect the attacks coming in, but to inventory all the devices that have in their network looking at traffic on these ports," he says. "It sort of comes down to inventory control on the network."
For companies looking for a place to start, Ullrich and Moore suggest five protocols where companies can check for weaknesses.
Intelligent Platform Management Interface (IPMI)
Over the past year, security researcher Dan Farmer has investigated weaknesses in the Intelligent Platform Management Interface (IPMI) protocol. Many companies use servers that can be monitored and managed through a baseboard management controller, an embedded device that communicates using IPMI. Farmer found that the IPMI standard and various implementations have a number of security flaws.
['Project Sonar' community project launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]
Rapid7 investigated SuperMicro's specific implementation, finding that the company's baseboard management controller used default passwords and was vulnerable to a number of universal plug-and-play issues.
"IPMI is used a lot by businesses, and they don't really understand what all the risks are," Moore says. "It is really difficult to have an IPMI installation that is not vulnerable."
Moore and other security experts recommend managing devices that use the IPMI protocol behind virtual private networks, firewalls, and other security, always assuming the devices are in a hostile network.
Embedded Web Servers
A variety of devices are vulnerable not because of the native protocols that they use, but because of the lightweight Web servers embedded in the devices to provide a management interface. From printers and baseboard management controllers to routers and PBXes, companies host a wide array of devices that likely have vulnerable Web interfaces to manage the technology.
"These undocumented, undisclosed, and unmonitored Web interfaces are a bigger deal than most people realize," Moore said. "They are really common, but they are not something that people normally keep track of."
Ullrich agrees, saying that DShield data shows that companies are seeing opportunistic scans for the devices.
"All the miscellaneous devices -- routers, switches -- sometimes have a management interface on an uncommon port, but you see a decent amount of scanning activity for these," he says.
Last year, Moore scanned the Internet for signs of videoconferencing systems connected directly to the Internet and set to auto answer, estimating that some 150,000 devices were vulnerable to an attacker directly calling into the conferencing system.
"Most folks did not do any sort of security on the videoconferencing side, and many of them had really horrible security on the Web management interface," Moore says.
Companies should scan their public Internet space on port 1720, typically used by the H.323 messaging protocol, using a "status enquiry" to nonintrusively check for potential vulnerable systems, according to Rapid7.
Databases are frequent targets of attacks. Many attackers scan for open Microsoft SQL Server and MySQL ports, but rather than attempting to compromise such systems with exploits, they instead attempt to brute-force the password protecting the databases, says the SANS Institute's Ullrich.
"They typically don't search for a vulnerability there, but for a weak password," he says. "They scan for the databases and then try to connect by guessing passwords."
Companies should track down any database accessible from the Internet and ensure that adequate steps are taken to secure access to the servers.
Simple Network Management Protocol (SNMP)
The DShield project sees some scanning for the Simple Network Management Protocol (SNMP), but Ullrich sees the protocol as mainly an overlooked risk.
Moore, however, sees SNMP as an engine for future attacks. Because many companies do not pay attention to SNMP, the protocol could be used as a vector for compromise and as a method of amplification for distributed denial-of-service attacks, Moore says.
"SNMP tends to get short shrift in terms of security exposure, not to mention it can be used for amplification attacks," Moore says. Amplification attacks typically use the DNS system, which can be made to respond to a single request with a multitude of packets. The SNMP protocol has similar characteristics, he says.
Companies should filter inbound malformed packets to prevent their systems from being used in a distributed denial-of-service attack and to block all outbound SNMP packets.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio