Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

11:20 AM

5 Protocols That Should Be Closely Watched

Attackers frequently scan for open SSH, FTP, and RDP ports, but companies need to watch out for attacks against less common protocols as well

For decades, opportunistic attackers have scanned the Internet for open ports through which they can compromise vulnerable applications.

Such scanning has only gotten easier: The Shodan search engine regularly scans the Internet and stores the results for anyone to search; researchers from the University of Michigan have refined techniques to allow for fast, comprehensive scans of a single port across the Internet; and programs, such as NMap, allow anyone to scan for open, and potentially vulnerable, ports.

While the most commonly attacked ports are those used by Secure Shell (SSH), the file transfer protocol (FTP), the remote desktop protocol (RDP), and Web servers (HTTP), companies need to monitor network activity aimed at less common protocols and ports, say security experts. Attackers will likely increasingly look for vulnerabilities in less common ports, says HD Moore, chief research officer for vulnerability-management firm Rapid7, which has made a name for itself scanning the Internet for just those ports.

"This stuff is not in the top bucket, in terms of priority, but it tends to bite people because they are not keeping an eye on it," he says.

Companies should not just monitor for malicious activity using these protocols, but proactively take an inventory of the applications inside their own networks and connected to the Internet that expose firms to potential opportunistic attacks, says Johannes Ullrich, dean of research for the SANS Technology Institute. The SANS Institute's DShield project collects data from contributors to analyze the ports in which attackers are most interested.

"Companies need not just detect the attacks coming in, but to inventory all the devices that have in their network looking at traffic on these ports," he says. "It sort of comes down to inventory control on the network."

For companies looking for a place to start, Ullrich and Moore suggest five protocols where companies can check for weaknesses.

Intelligent Platform Management Interface (IPMI)
Over the past year, security researcher Dan Farmer has investigated weaknesses in the Intelligent Platform Management Interface (IPMI) protocol. Many companies use servers that can be monitored and managed through a baseboard management controller, an embedded device that communicates using IPMI. Farmer found that the IPMI standard and various implementations have a number of security flaws.

['Project Sonar' community project launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]

Rapid7 investigated SuperMicro's specific implementation, finding that the company's baseboard management controller used default passwords and was vulnerable to a number of universal plug-and-play issues.

"IPMI is used a lot by businesses, and they don't really understand what all the risks are," Moore says. "It is really difficult to have an IPMI installation that is not vulnerable."

Moore and other security experts recommend managing devices that use the IPMI protocol behind virtual private networks, firewalls, and other security, always assuming the devices are in a hostile network.

Embedded Web Servers
A variety of devices are vulnerable not because of the native protocols that they use, but because of the lightweight Web servers embedded in the devices to provide a management interface. From printers and baseboard management controllers to routers and PBXes, companies host a wide array of devices that likely have vulnerable Web interfaces to manage the technology.

"These undocumented, undisclosed, and unmonitored Web interfaces are a bigger deal than most people realize," Moore said. "They are really common, but they are not something that people normally keep track of."

Ullrich agrees, saying that DShield data shows that companies are seeing opportunistic scans for the devices.

"All the miscellaneous devices -- routers, switches -- sometimes have a management interface on an uncommon port, but you see a decent amount of scanning activity for these," he says.

Last year, Moore scanned the Internet for signs of videoconferencing systems connected directly to the Internet and set to auto answer, estimating that some 150,000 devices were vulnerable to an attacker directly calling into the conferencing system.

"Most folks did not do any sort of security on the videoconferencing side, and many of them had really horrible security on the Web management interface," Moore says.

Companies should scan their public Internet space on port 1720, typically used by the H.323 messaging protocol, using a "status enquiry" to nonintrusively check for potential vulnerable systems, according to Rapid7.

SQL Servers
Databases are frequent targets of attacks. Many attackers scan for open Microsoft SQL Server and MySQL ports, but rather than attempting to compromise such systems with exploits, they instead attempt to brute-force the password protecting the databases, says the SANS Institute's Ullrich.

"They typically don't search for a vulnerability there, but for a weak password," he says. "They scan for the databases and then try to connect by guessing passwords."

Companies should track down any database accessible from the Internet and ensure that adequate steps are taken to secure access to the servers.

Simple Network Management Protocol (SNMP)
The DShield project sees some scanning for the Simple Network Management Protocol (SNMP), but Ullrich sees the protocol as mainly an overlooked risk.

Moore, however, sees SNMP as an engine for future attacks. Because many companies do not pay attention to SNMP, the protocol could be used as a vector for compromise and as a method of amplification for distributed denial-of-service attacks, Moore says.

"SNMP tends to get short shrift in terms of security exposure, not to mention it can be used for amplification attacks," Moore says. Amplification attacks typically use the DNS system, which can be made to respond to a single request with a multitude of packets. The SNMP protocol has similar characteristics, he says.

Companies should filter inbound malformed packets to prevent their systems from being used in a distributed denial-of-service attack and to block all outbound SNMP packets.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.