Overview of Risk Indicators
CyberGreen tracks types of internet-exposed systems that may create risk for others, including services that can be abused for reflection, amplification, or other large-scale network harms.
Each risk page describes what is being measured and how the observed counts should be interpreted. Counts are measurement indicators from processed scan data, not evidence that the listed systems are participating in attacks.
DDoS potential is shown separately because it is a calculated metric derived from the scanned indicators, not a directly scanned indicator.
| Risk Indicator | Amplification Factor | Description |
|---|---|---|
| Open DNS | 41 | DNS (Domain Name System) open resolvers can be abused for reflection and amplification when they respond to recursive queries from the public internet. Read more |
| Open NTP | 556.9 | NTP (Network Time Protocol) servers can amplify traffic when exposed services respond to spoofed requests. Read more |
| Open SNMP | 6.3 | SNMP (Simple Network Management Protocol) exposure can create amplification risk when public devices answer unauthenticated UDP queries. Read more |
| Open SSDP | 30.8 | SSDP (Simple Service Discovery Protocol) services can be abused for UDP reflection and amplification when exposed beyond local networks. Read more |
| Open CHARGEN | 358.8 | CHARGEN (Character Generator Protocol) is a legacy service that can produce amplified UDP responses when left exposed. Read more |
Amplification factors are based on US-CERT guidance on UDP-based amplification attacks: DDoS Amplification and Mitigation Recommendations.
| Calculated Metric | Description |
|---|---|
| DDOS |
DDoS potential is calculated from the scanned risk indicators to estimate relative amplification potential. Read more |
Archived Risk Datasets
CyberGreen also maintains selected archived datasets that predate its current scanning systems. The archived data below was obtained from external sources, including the Open Resolver Project, and is separated from the current CyberGreen scan dataset. Archived datasets can also be accessed through the API.
| Risk | Description |
|---|---|
| Mirai | Mirai is malware that turns computer systems running Linux into remotely controlled 'bots', that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet was firstly found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and...Read more |