MEDIUM: Accessible AMQP Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies devices that have an accessible AMQP (Advanced Message Queueing Protocol) on port 5672/TCP.

AMQP is an open internet protocol for business messaging. It is often also used for IoT device management.

Even though it does allow for encrypted communications via TLS, many instances on the Internet are configured for cleartext authentication and message sharing. Furthermore in the past there have been multiple vulnerabilities discovered in AMQP broker software implementations that can allow for authentication bypass, interception of messages, remote code execution or denial of service and other attacks.

You can track latest AMQP scan results on the Shadowserver Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

Severity levels are described here.

This report was enabled as part of the European Union INEA CEF VARIoT project.

Filename: scan_amqp

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the AMQP response came on (always TCP)
port

Port that the AMQP response came from (usually 5672)
hostname

Reverse DNS name of the device in question
tag

Set to amqp
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
channel

Channel Used
message_length

Length of the message
class

Class of the connection
method

Method used
version_major

Major number of the AMQP protocol revision
version_minor

Minor number of the AMQP protocol revision
capabilities

List of features supported
cluster_name

Name of the AMQP device
platform

Platform
product

Product Type
product_version

Product Version
mechanisms

Methods Used
locales

Languages available
sector

Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","channel","message_length","class","method","version_major","version_minor","capabilities","cluster_name","platform","product","product_version","mechanisms","locales","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,5672,node01.example.com,amqp,64512,ZZ,Region,City,0,ptr,0,509,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to",athletic-lime-wallaby,"Erlang/OTP 25.3.2.7",RabbitMQ,3.12.6,"AMQPLAIN PLAIN",en_US,"Retail Trade"
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,5672,node02.example.com,amqp,64512,ZZ,Region,City,0,,0,509,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos",rabbit@rabbitmq,Erlang/OTP,RabbitMQ,3.5.7,"AMQPLAIN PLAIN",en_US,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,5672,node03.example.com,amqp,64512,ZZ,Region,City,0,ptr,0,528,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to",1rabbit@ip-172-31-1-216.us-west-2.compute.internal,"Erlang/OTP 22.3.4.1",RabbitMQ,3.8.3,"AMQPLAIN PLAIN",en_US,"Retail Trade"

Our 135 Report Types

« Back to Network Reporting