Subscribe to receive custom security alerts

* indicates required
() - (###) ###-####

DNS Open Resolver

What is it?

An open recursive DNS resolver can be leveraged in denial-of-service attacks, specifically DNS amplification. DNS servers are considered to be open if they provide recursive name resolution for clients outside of the server’s administrative domain. 

What can I do about it?

If possible disable recursion on your server. This may, however, effect your environment and users. If it’s determined that recursion is necessary, limiting the server to handle local, trusted queries will resolve the issue.

NTP

What is it?

The NTP Mode 6 vulnerability on a device allows an attacker to send specific control requests to an NTP server or client and receive responses that are amplified up to 40 times in size. These larger responses can cause a denial-of-service condition where NTP servers are forced to process larger requests and respond with a larger amount of data.

What can I do about it?

NTPd must be updated to version 4.2.7p26 or greater. If this is not possible then restricting NTP queries to authorized users is an acceptable solution. Please see https://www.kb.cert.org/vuls/id/348126 for more info on this process.

NetBIOS

What is it?

NetBIOS is a protocol that should only be visible on your LAN, if at all. Typically it is only necessary for file and printer sharing. This protocol should never be visible outside your local network since exposing port 137 to the internet leaves your server vulnerable to attack.

What can I do about it?

Blocking ports 135-139 and 445 ingress and egresson the edge of your network is typically the best solution. Another recommended solution is to disable NetBIOS through the OS unless it’s absolutely critical that it remains running.

SSDP

What is it?

SSDP (Simple Service Discovery Protocol) is used to discover network services and determine device presence information. This protocol may be used by an attacker to perform an amplification attack against a host.

What can I do about it?

Blocking UDP port 1900 on your network edge will disable this attack vector. Turning off SSDP within Windows is also an acceptable solution.

TFTP

What is it?

An open TFTP (Trivial File Transfer Protocol) server can be used by an attacker to cause an UDP amplification attack against a host. Additionally, having a TFTP server exposed to the internet may mean the exposure of sensitive data.

What can I do about it?

Blocking UDP port 69 ingress at the edge of your network will close this attack vector.

RDP

What is it?

RDP (Remote Desktop Protocol) is used to allow remote access to Windows PCs. An open RDP server means a Windows host may be exposed to outside attackers.

What can I do about it?

Ideally, RDP servers will be only accessible via VPN. If this is not possible then having a firewall rule in place to allow only authorized users to reach TCP 3389 on RDP servers is an acceptable solution.

Poodle

What is it?

POODLE takes advantage of a vulnerability in the SSL protocol which leaves secure connections open to decryption. A protocol negotiation feature is built into SSL/TLS to make it backwards compatible with SSL 3.0 After falling back to SSL 3.0, an attacker may be able to act as a man in the middle to read sensitive data.

What can I do about it?

Any support for SSLv3 should be disabled on any affected servers. If this is not possible then enabling the retrying of failed connections will prevent attackers from forcing browsers to use SSLv3. See the following link for more details: https://www.tinfoilsecurity.com/blog/how-to-fix-poodle-and-why-you-are-probably-still-vulnerable

PortMapper

What is it?

Portmapper can be used in amplification attacks. UDP packets with the spoofed address of the victim will cause the open portmapper to send a much larger response to the victim indicated by the spoofed IP address.

What can I do about it?

Portmapper should never be exposed to the open internet. Blocking UDP 111 on the internet edge is the best course of action.

mDNS

What is it?

mDNS (multicast DNS) is a service that can be used to amplify DDoS attacks.

What can I do about it?

Blocking inbound and outbound mDNS on UDP 5353 is an acceptable solution. Completely disabling mDNS is also an option if it’s unnecessary to be run on an affected host.

XDMCP

What is it?

Similar to RDP for Windows clients, an exposed XDMCP server allows connecting devices to be presented with a login screen for a X session with the host. Remote logins are possible through this connection. Additionally, all information, including passwords, is transmitted unencrypted to the server.

What can I do about it?

Disable this service if it does not need to be running. Otherwise lock it down to authorized hosts.

SMB

What is it?

SMB is an exploitable service that runs on many Windows machines. Malware targets unpatched versions of SMB, often leaving them open to remote code execution and/or root access. High profile malware has targeted SMB such as WannaCry.

What can I do about it?

SMB should be patched to the latest stable version. If this is not possible then ensuring port 445 is not accessible from outside your own network is an alternate solution.

Drones

What is it?

A device on your network has been determined to be a drone controlled by an outside entity.

What can I do about it?

The host in question must be removed from the botnet either through the use of anti-malware tools, closing the attack vector, or re-installing your OS from a verified clean image.