News & Insights

Topic: Statistics

New Dashboard Extensions: IoT device fingerprinting and attack statistics

September 30, 2022
We are happy to announce the first major extension to our newly launched Dashboard - the addition of IoT device statistics and server-side attack statistics, data sets that have been collected as part of the HaDEA EU CEF VARIoT project.

Shadowserver’s New Public Dashboard

September 6, 2022
After many years of not having public interface for exploring our extensive cyber threat intelligence data sets, Shadowserver are very excited to make available our new public Dashboard, kindly funded by the UK FCDO. Use our Dashboard to dig into two years of aggregated country level data about many different type of threats, including some unique data sets and vantage points, then visualize the data in various ways that can be easily shared via URLs. Free to use (with attribution) for research, informing policy makers and by journalists/news media in educating the public about cyber security threats.

Hello IPv6 Scanning World!

July 14, 2022
In the last few months, Shadowserver has been systematically rolling out IPv6 scanning of services. We chose to conduct our scanning based on hitlists of IPv6 addresses observed being used in the wild, maintaining up to 1 billion unique IPv6 addresses on the hitlist at any one time. We currently scan 9 different services (11 ports) uncovering over 120 million active services by unique IPv6 daily.

Over 3.6 million exposed MySQL servers on IPv4 and IPv6

May 31, 2022
We have recently began scanning for  accessible MySQL server instances on port 3306/TCP.  These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide.

Over 380 000 open Kubernetes API servers

May 17, 2022
We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report.

Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks

April 25, 2022
We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks.  Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox report. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!

More Free Cyber Threat Intelligence For National CSIRTs

April 25, 2022
The UK FCDO have been supporting The Shadowserver Foundation's efforts to provide more free, actionable, daily Cyber Threat Intelligence to National CSIRTs in Africa and the Indo-Pacific. After making some great progress over the past year, we are seeking support from the community to engage some additional countries in the region. Can you help connect us, and the Internet more secure for everyone?

Scanning for Accessible MS-RDPEUDP services

January 25, 2021
We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.

Accessible Radmin Report - Exposed Radmin Services on the Internet

July 7, 2020
We have recently enabled a new IPv4 Internet-wide scan and report for accessible Radmin services on port 4899/TCP. Radmin is a remote access software product commonly in use today. Our daily scans uncover around 50,000 accessible Radmin services on port 4899/TCP. While Radmin is in general considered a secure mechanism for remote access, care should be taken as with all similar types of services to ensure no misconfiguration has taken place.

Accessible CoAP Report - Exposed Constrained Application Protocol Services on the Internet

June 24, 2020
We have enabled a new scan for exposed CoAP (Constrained Application Protocol) devices on port 5683/UDP. The scan has uncovered around 460 000 exposed CoAP services that can be potentially abused for CoAP amplification DDoS attacks. These services may also leak information or expose other vulnerabilities. This is the third IoT scan implemented as part of the EU CEF VARIoT project.