Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
JUNOSRob

NoSQL Injection: AWS Hosting

by Juniper Employee ‎07-05-2012 09:00 AM - edited ‎07-05-2012 11:04 AM

As a follow up to my other NoSQL injection blog I wanted to take a quick survey of an AWS public IPv4 subnet and how many hosts were listening. I choose a block of IP addresses and then did a scan across all of them to see if they were listening for MongoDB or Redis. I did each scan on separate days and I only scanned for one service at a time. Through the scan I saw 45 hosts openly running MongoDB and only 2 running Redis. None of the hosts had authentication or SSL enabled for the service. While the scan covered 16 million IP addresses, finding any open service would be a bad thing as the impact can be severe.

 

If an attacker were to utilize these open services they could do many “bad things”. Besides the obvious, data theft of information in the database, an attacker could also use the database to host malicious or illegal software.

On AWS the usage of public IP addresses and the actual availability of hosts widely varies. Anyone can sign up for AWS and immediately start initializing hosts. This includes the use of public IP addresses. Because of this it is highly unpredictable for what is available in the address block. Its not uncommon for a developer to start up a system and use it only for a few hours of testing. But I would not be surprised to see someone or a series of bots constantly scanning the AWS IP blocks for available services to exploit.

 

Solving this problem is fairly simple. By default all inbound traffic to AWS instances is blocked leaving you secure. For any of the services that were left open, it was done so by the choice of the administrator that configured the host. If you choose to open up services to the Internet, restrict them to only the hosts that are required or at least to your source subnet if your not sure. For AWS you can also utilize VPCs, or virtual private clouds, for security. VPCs allow you to create a private network only accessible to yourself. You can even setup an IPSec VPN to connect into the VPC to allow for secure transport of data.

 

When working with any open service on the Internet you should always expect the worst. If something is on the Internet expect people and or bots to find it and hammer away at it. Especially in a place where the IP addresses are assigned to a cloud provider, people know that services are hosted on those addresses, so do your best to protect whatever you are hosting.


 

Comments
by Paul Aan(anon) on ‎07-10-2012 05:01 AM

Cool article!

Luckly that I did take care these security issue on the first time to approach new technologies.

by Juniper Employee on ‎07-10-2012 10:53 AM

Thanks! The availability of the services widely varies. From testing a few different times we saw that various bots/scanners found new services on AWS in a matter of minutes. So even if you put up a service for a short time it has a good chance of getting seen and potentially exploited. 

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.