The Shadowserver Foundation

Open TFTP Service Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at the TFTP (Trivial FTP) service.

The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have the TFTP service running. The goal of this project is to identify openly accessible systems that have the TFTP service running and report them back to the network owners for remediation.

In addition to possibly making sensitive information available, these devices have the potential to be used in UDP amplification attacks and if at all possible, we would like to see these services made un-available to miscreants that would misuse these resources.

Servers that are configured this way have been incorporated into our reports and are being reported on a daily basis.

Additional information on amplification attacks utilizing TFTP can be found on Akamai's blog at: https://blogs.akamai.com/2016/06/new-ddos-reflectionamplification-method-exploits-tftp.html

Information on UDP-based amplification attacks in general can be found in US-CERT alert TA14-017A at: https://www.us-cert.gov/ncas/alerts/TA14-017A

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 69/udp with a request to download a file and capturing the response. This probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. We are not testing to see if file upload is enabled. We intend no harm, but if we are causing problems, please contact us at: dnsscan [at] shadowserver [dot] org.

Please note that unlike other UDP services that we test for, the response from TFTP is often received on a port that is different than what was queried! Probes sent to a host on port 69/UDP may generate responses that source from ephemeral high ports.

If you would like to test your own device to see if it has TFTP enabled, try using the tftp command: "tftp [IP] 69" and at the "tftp>" prompt, type "get [random-file-name]". If TFTP is running, you will likely see an error code in response. Please note that you may need to look for the response using tcpdump, if the response is being sent to some port other than 69/udp.

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://tftpscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on current run

Other Statistics

If you would like other statistics and information on historical trends, please take a look at: https://tftpscan.shadowserver.org/stats/. Otherwise, stats from the most current scan are listed below.


All devices with TFTP Accessible

All TFTP

(Click image to enlarge)

These are the 4.4 million devices with TFTP accessible

If you would like to see more regions click here

All devices with TFTP Accessible

All TFTP

(Click image to enlarge)

These are the 4.4 million devices with TFTP accessible



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation