As a follow up to my other NoSQL injection blog I wanted to take a quick survey of an AWS public IPv4 subnet and how many hosts were listening. I choose a block of IP addresses and then did a scan across all of them to see if they were listening for MongoDB or Redis. I did each scan on separate days and I only scanned for one service at a time. Through the scan I saw 45 hosts openly running MongoDB and only 2 running Redis. None of the hosts had authentication or SSL enabled for the service. While the scan covered 16 million IP addresses, finding any open service would be a bad thing as the impact can be severe.
If an attacker were to utilize these open services they could do many “bad things”. Besides the obvious, data theft of information in the database, an attacker could also use the database to host malicious or illegal software.
On AWS the usage of public IP addresses and the actual availability of hosts widely varies. Anyone can sign up for AWS and immediately start initializing hosts. This includes the use of public IP addresses. Because of this it is highly unpredictable for what is available in the address block. Its not uncommon for a developer to start up a system and use it only for a few hours of testing. But I would not be surprised to see someone or a series of bots constantly scanning the AWS IP blocks for available services to exploit.
Solving this problem is fairly simple. By default all inbound traffic to AWS instances is blocked leaving you secure. For any of the services that were left open, it was done so by the choice of the administrator that configured the host. If you choose to open up services to the Internet, restrict them to only the hosts that are required or at least to your source subnet if your not sure. For AWS you can also utilize VPCs, or virtual private clouds, for security. VPCs allow you to create a private network only accessible to yourself. You can even setup an IPSec VPN to connect into the VPC to allow for secure transport of data.
When working with any open service on the Internet you should always expect the worst. If something is on the Internet expect people and or bots to find it and hammer away at it. Especially in a place where the IP addresses are assigned to a cloud provider, people know that services are hosted on those addresses, so do your best to protect whatever you are hosting.
Discussing a wide range of topics impacting enterprises and data center security.