CERT Bund reports are automatically sent to the Abuse Contact (Abuse-C) registered with RIPE for the relevant IP network range. The Abuse Contact is used for all classes of reports as it is the only one that can be automatically extracted from the RIPE-data. If the affected network operator is a provider, it is requested to inform its affected customers appropriately.
All CERT Bund reports are digitally signed.
See Reports on malware infections.
See Reports on openly accessible server services.
Please check the time stated given in our reports. If the reported security problem has been successfully resolved, you should not receive any further notifications with later time stamps.
As part of tests conducted daily by the shadow servers, corresponding queries for the respective service are sent to all IPv4 internet addresses and the responses received are then analysed. You are getting the report because valid responses from the corresponding service have been received from your system.
As a result of the volume of queries and the fact that traffic is sent over UDP, individual responses unfortunately cannot be associated directly with the respective queries. If a corresponding service is not directly reachable from the internet on the IP reported, then the query is being received on another IP address in your network but the response is being sent back to the internet from the reported IP. This can be the case, for example, if the system has multiple public IP addresses or is working as a NAT gateway and/or there is a misconfiguration problem with the routing.
As telecommunications providers, ISPs are obliged in accordance with Section 109a (4) Telecommunications Act (TKG) to inform their users -- as soon as they are known -- immediately if they become aware of any disruptions that originate from the users' IT systems. This includes infections with malware. As far as possible and reasonable from a technical perspective, ISPs must inform users of appropriate, effective and accessible technical means that they can use to detect and correct the disruptions.
If you offer telemedia in the ordinary course of business via your server (this includes company websites and online shops as well as, for example, private websites funded by advertising), you are obliged according to Section 19 (4) TTDSG to provide your systems with state-of-the-art protection against being misused through external attacks. Even if you are not operating your server for business purposes, you should still protect it. It is possible that a victim of a DDoS reflection attack could lodge claims for damages with the operators of servers whose known vulnerabilities were exploited to carry out an attack.
Hosting providers are requested to notify the affected customers appropriately so that they can discharge their obligation to protect their servers from abuse through external attacks in accordance with Section 19 (4) TTDSG.
