Reports on Openly Accessible Server Services
This website provides information about the notifications sent by CERT-Bund to German network operators about open server services which could be (or have already been) misused for DDoS reflection attacks against third-party systems. Advice on how to check and secure the open services reported can be found in our HOWTOs.
DDoS reflection attacks
UDP-based network services such as DNS, NTP, SSDP, SNMP or Portmap, which are openly accessible from the Internet, are regularly abused to carry out DDoS reflection attacks against third-party systems. Here, attackers send a small request packet with a forged source address to an open server service on the Internet. The service responds with a much larger response packet, which it sends to the forged source address (the victim's system). Depending on the abused server service, amplifications (read: the ratio of the size of the response packet to that of the request) up to a factor of 550 are possible. In this way, attackers can generate harmful data traffic with bandwidths of several gigabits per second by abusing numerous open server services in parallel and thus paralyse the victim's system (denial of service). You can find out more about how DDoS attacks work in the references below.
Attacks of this kind are regularly carried out by cyber criminals, including in blackmailing operators of online shops. Securing or shutting down problematic open server services deprives these criminals of the tools they need to carry out such attacks. As Germany's national Computer Emergency Response Team, CERT-Bund strives to reduce the number of open server services in Germany that can be misused for DDoS reflection attacks.
Identifying affected server services
The Shadowserver Foundation is a respected non-commercial association of worldwide security experts. Shadowserver conduct daily Scans for server services that are openly accessible from the Internet and can be misused for DDoS reflection attacks. The results are compiled for specific countries and made available to the respective national CERTs. Based on this data, CERT-Bund regularly notifies the relevant network operators in Germany. These operators are asked to take appropriate measures to prevent the misuse of the detected openly accessible services for DDoS reflection attacks. If the affected network operator is a provider, it is asked to inform its affected customers accordingly. Network operators can also obain the results for network segments in their jurisdiction directly from Shadowserver.
Clean-up in Germany
Since mid-2014, regular notifications from CERT-Bund and the support of network operators and system administrators have led to a significant reduction in the number of openly accessible server services in Germany that can be misused for DDoS reflection attacks. The following graph shows the trend in the number of openly accessible server services in Germany from June 2014 to June 2019 using the example of open SSDP and SNMP servers, open DNS resolvers and NTP servers with an active 'monlist' function.
The absolute number of NTP servers with an active 'monlist' function is comparatively small, but the highest average gain can be achieved by misusing this service.
International clean-up
Like CERT-Bund, other national CERTs are also striving to further reduce the number of openly accessible server services in their respective countries. The following graph shows the percentage of openly accessible server services worldwide and in Germany in June 2016 compared to June 2014 (100% in each case) using the example of open SSDP and SNMP servers, open DNS resolvers and NTP servers with an active 'monlist' function.
The number of openly accessible server services has already been reduced significantly around the world. In Germany, the clean-up rate for all server services is above the international average.
Get involved!
Support the clean-up effort by securing openly accessible server services on your systems or deactivating services that are not required. Find out more in our HOWTOs.
