NICER Protocol Deep Dive: Internet Exposure of etcd
Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we’d end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?
So, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don’t want to wait around for the next installment, you can cheat and read ahead!
[Research] Read the full NICER report today
Get Started
etcd (TCP/2379)
Gleaming the Kube(rnetes)
TLDR
- WHAT IT IS: Another distributed key-value store that provides a reliable way to store data that needs to be accessed by a distributed system or cluster of machines.
- HOW MANY: 2,560 discovered nodes. 2,560 (100%) have version fingerprints
- VULNERABILITIES: Two low-to-moderate CVEs since 2018.
- ADVICE: Use it! Just don’t expose it to the internet.
- ALTERNATIVES: Redis and memcached are two similar, alternative in-memory key-value stores with characteristics similar to etcd.
The etcd key-value service is part of the Kubernetes ecosystem and is designed to hold system/service configuration and state information. The Kubernetes API Server uses etcd’s watch API to monitor the cluster and roll out critical configuration changes or simply restore any divergences of the state of the cluster back to what was declared by the deployer. It exposes a JSON API over the HTTP protocol.
Discovery details
Project Sonar found 2,560 etcd nodes exposed to the internet. The counts by country (top 10) and provider are below:
| Country | Count | Provider | Count | |
|---|---|---|---|---|
| China | 1,036 | Alibaba | 434 | |
| United States | 476 | Amazon | 243 | |
| South Africa | 255 | 101 | ||
| Germany | 210 | OVHcloud | 89 | |
| Hong Kong | 66 | DigitalOcean | 52 | |
| France | 64 | Microsoft | 29 | |
| Singapore | 59 | Scaleway | 15 | |
| Canada | 56 | Oracle | 10 | |
| Russia | 40 | QuadraNet | 6 | |
| Netherlands | 38 | Rackspace | 1 |
We’re including etcd for completeness (since we’ve mentioned in the previous blogs on Redis and memcached), but the sample size is way too small to dig into, since we have no data on which ones are honeypots and which ones are real.
Just like the other two key-value databases, etcd should never be exposed to the internet. Unlike the previous two services, etcd tends to be purpose-driven for Kubernetes orchestration environments, which is another great reason not to expose it to the internet directly.
[Research] Read the full NICER report today
Get Started
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
