Data is based on Coordinated Universal Time (UTC).
How to interpret AISI data
There are a number of caveats to note when interpreting this data:
- Often there are multiple observations for an individual IP address, including multiple observations under different categories. This data has been largely removed in the charts.
- If there are observations relating to multiple categories on a given day for a given IP address, that IP address will be represented once in each category i.e. if an IP address has been observed as a vulnerable service as well as malware, this address will be reported in both categories.
- Services utilising a 'dynamic' IP address, such as a home router, may be represented more than once over a 24-hour period if that dynamic IP has changed during that period.
A note about data variability
Caution should be applied when interpreting the charts, as the data contains a set of constantly changing variables. In particular, the absence of data for a given day or week does not necessarily indicate a given compromise or cyber threat has diminished, as other factors may have led to data becoming unavailable.
An IP address reported under the vulnerable service category has been found to be hosting a network service that exhibits symptoms of some specific security vulnerability or class of vulnerabilities.
Types of ‘vulnerable services’
POODLE (Padding Oracle on Downgraded Legacy Encryption) takes advantage of a vulnerability in SSL 3.0 which makes it possible for a hacker to obtain credentials for a secured connection. It is generally recommended that all secured connections use TLS 1.2 and that the use of SSL 3.0 is discontinued.
Over time, some technologies previously thought secure may become vulnerable. A FREAK (Factoring RSA Export Keys) vulnerable service indicates the possibility of compromise using a weak cipher technology which can no longer be regarded as secure. It is recommended that only ciphers which are accepted as secure be used and that this is regularly monitored.
DDOS AMPLIFER: SSDP
SSDP (Simple Service Discovery Protocol) is a service on port 1900 (UDP) which responds to queries from the open internet. SSDP services respond with information that identifies the system and potentially information on the configuration of internal IPs. Therefore, in addition to potentially being used as part of a Distributed Denial of Service (DDoS) attack, this vulnerability may also potentially expose sensitive information on the customer network layout.
DDOS AMPLIFIER: DNS
DNS (Domain Name System) is a service on port 53 (UDP) that responds to recursive DNS queries from the open internet. DNS servers that allow recursive queries typically return a DNS response to any query made to them, thereby enabling them to be used in DDoS attacks.
DDOS AMPLIFIER: SNMP
SNMP (Simple Network Management Protocol) is a service on port 161 (UDP) that responds to SNMP 2c queries from the open internet with the SNMP community set to "public". These SNMP services provide information that can identify internal systems and their configurations, so in addition to potentially being used as part of a DDoS attack, they may also expose sensitive information.
DDOS AMPLIFIER: NETBIOS
NetBIOS is a service on port 137 (UDP), which responds to name resolution queries from the open internet. NetBIOS services respond with information that identifies the system and potentially information on the file sharing network the machine is connected to, such as the workgroup and username, thereby leaking potentially sensitive information. These responses are also used as part of reflection DDoS attacks.
DDOS AMPLIFIER: PORTMAPPER
Portmapper (part of RPC services) is a service on port 111 (UDP) that responds to queries from the internet, potentially allowing them to be used as part of a DDoS attack. Additionally these services may be used to gather sensitive information from a server including NFS exports.
DDOS AMPLIFIER: CHARGEN
Chargen (Character Generator) is a service (UDP) which responds to queries from the open internet. CharGen services typically respond with a string of random characters, which will be returned to any apparent querying source, making them easily used as part of a DDoS attack.
DDOS AMPLIFIER: NTP
NTP (Network Time Protocol) is a service on port 123 (UDP) that responds to Mode 7 requests from the open internet which could allow it to be abused to redirect responses to a victim's IP address.
Where to get help
For vulnerable services, the appropriate action to mitigate the threat will depend on the type of threat. For further information on how to protect yourself online, browse www.cyber.gov.au. The US-CERT website also contains extensive advice on POODLE.
We welcome any feedback on these charts, contact us at email@example.com.