MEDIUM: Accessible AMQP Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies devices that have an accessible AMQP (Advanced Message Queueing Protocol) on port 5672/TCP.

AMQP is an open internet protocol for business messaging. It is often also used for IoT device management.

Even though it does allow for encrypted communications via TLS, many instances on the Internet are configured for cleartext authentication and message sharing. Furthermore in the past there have been multiple vulnerabilities discovered in AMQP broker software implementations that can allow for authentication bypass, interception of messages, remote code execution or denial of service and other attacks.

You can track latest AMQP scan results on the Shadowserver Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

Severity levels are described here.

This report was enabled as part of the European Union INEA CEF VARIoT project.

Filename: scan_amqp


Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the AMQP response came on (always TCP)
  • port
    Port that the AMQP response came from (usually 5672)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Set to amqp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • channel
    Channel Used
  • message_length
    Length of the message
  • class
    Class of the connection
  • method
    Method used
  • version_major
    Major number of the AMQP protocol revision
  • version_minor
    Minor number of the AMQP protocol revision
  • capabilities
    List of features supported
  • cluster_name
    Name of the AMQP device
  • platform
    Platform
  • product
    Product Type
  • product_version
    Product Version
  • mechanisms
    Methods Used
  • locales
    Languages available
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","channel","message_length","class","method","version_major","version_minor","capabilities","cluster_name","platform","product","product_version","mechanisms","locales","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,5672,node01.example.com,amqp,64512,ZZ,Region,City,0,ptr,0,509,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to",athletic-lime-wallaby,"Erlang/OTP 25.3.2.7",RabbitMQ,3.12.6,"AMQPLAIN PLAIN",en_US,"Retail Trade"
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,5672,node02.example.com,amqp,64512,ZZ,Region,City,0,,0,509,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos",rabbit@rabbitmq,Erlang/OTP,RabbitMQ,3.5.7,"AMQPLAIN PLAIN",en_US,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,5672,node03.example.com,amqp,64512,ZZ,Region,City,0,ptr,0,528,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to",1rabbit@ip-172-31-1-216.us-west-2.compute.internal,"Erlang/OTP 22.3.4.1",RabbitMQ,3.8.3,"AMQPLAIN PLAIN",en_US,"Retail Trade"

Our 124 Report Types