In computer networking, a port is a communication endpoint that allows your systems to communicate over the internet. Every IP address has two types – TCP and UDP ports. Any internet service requires a certain number of ports to be open to function. However, unattended, open ports invite a plethora of attacks and exploitations that you simply can’t afford.
Dangers of open port misconfigurations
Security best practices advise ports be left open on a purely “need-to-be” basis. Ideally, your IT team should have full knowledge of all ports opened for continuous monitoring. In reality, your team may lose track of all the open ports across your infrastructure.
Open ports can be perfect attack points for gaining a foothold into your server. A simple port-scanning of a target server may tell attackers all they need to know about:
- Open ports within the system
- Services and applications running through these ports
Let’s look at some of the attacks that you can attract via unmonitored open ports. Following that, we will see how Netenrich’s ASI acts as an always-on open port check tool.
Initiating malware attacks
Attackers use a list of “trojan ports” to affect your system security and create a backdoor. These could be ports that are used for simple business applications such as web servers.
Exploiting services and applications on open ports
The more applications and services run with open ports for Internet communication, the higher the risk of vulnerabilities getting exploited. Applications and services may have a host of bugs and vulnerabilities, and a bug in any one can lead to Remote Code Execution (RCE) and cause servers to become compromised.
Inviting RCE attacks through forgotten applications and services
Applications and servers running on open ports may require constant updates to stay free from vulnerabilities. Unfortunately, people tend to download these applications and completely forget about them.
As ports run unattended in the background, they become more and more vulnerable to potential attacks. One of the most dangerous forms of these attacks is RCE, which can occur through misconfigurations in services such as Redis, Kibana, and Jenkins.
- Redis: Unsecured Redis instances in the cloud can be abused to perform RCE attacks. Malicious files can be exploited to turn Redis instances into cryptocurrency mining bots that can use their “wormlike” spreading capability to infect other vulnerable instances. The truly scary part is that Redis users with instances that don’t bear Transport Layer Security (TLS) encryption, password protection, or both are vulnerable to having over 200 commands available once attackers gain access to their environment. Currently, Redis doesn’t have authentication set by default. Plus, even if the user sets a password, it should be strong enough to be resistant to brute-force attacks.
- Jenkins: Jenkins has a known remote code execution vulnerability labeled CVE-2019-1003000. Jenkins has a Pipeline feature that is implemented in Groovy. This is how the exploit works – the user issues an unauthenticated GET request to provide Groovy Meta-Programming input. A savvy attacker can use the @Grab annotation to invoke Grape, the built-in JAR dependency management tool for Groovy, and have it download a jar and run it.
Causing downtime by running denial of service (DoS) attacks
While some of the programs and services may have a built-in protection mechanism to withstand potential DoS attacks, others will not. One issue is that employees may use some applications and services without going through IT. This can allow attackers to perform a successful denial of service attack on a web server, without even targeting port number 80.
DDoS amplification must also be considered here. Attackers use amplification or reflection attacks to use your infra to attack others. As you can imagine, such an attack can have devastating effects on your brand’s reputation.
The two most popular kinds of amplification attacks are:
- NTP amplification: Network Time Protocol of NTP is the standard protocol for time synchronization in the IT industry. NTP is widely used by servers, mobile devices, endpoints, and network devices, irrespective of their vendor. NTP servers use 123 to talk to each other and NTP clients. In an NTP amplification, the attacker floods the target and redirects a large number of replies made to specific requests from the server (such as the one owned by your company) to the target.
- DNS amplification: DNS amplification is a type of reflection attack that manipulates publically accessible domain name systems and floods a target with a large amount of UDP packets. An attacker can theoretically exploit a vulnerability in your DNS servers to turn initially small queries into much larger payloads and bring down a target’s servers.
How Netenrich fixes open port issues
Let’s look at how Netenrich organically resolves every single one of these issues.