Censys Blog

Introducing Relational Database Scanning

June 18, 2018 by The Censys Team

The last year has seen repeated data breaches caused by operators accidentally hosting database servers on the public Internet.1 In many cases, these servers—which should never have been accessible—were configured with poor or altogether missing authentication.

To help organizations investigate and monitor whether they’ve mistakenly exposed databases, we have added scanning for four popular relational database servers: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle Database. We will also be adding support for Redis, Memcached, MongoDB, Cassandra, and Elasticsearch later this year. We scan by performing an initial protocol handshake with hosts. We never attempt to login or download any user data from the servers we find.

Database Exposure Today

The magnitude of databases online is surprising. There are around 5.5 million relational database servers on the public Internet: 680K MSSQL, 540K Postgres, 94K Oracle, and 4.7M MySQL2 servers. These hosts are spread across a large number of networks—25.3K autonomous systems (ASes) contain database servers and no single AS contains more than 5% of publicly exposed servers. The three networks with the most exposure are OVH, EGI Hosting, and Amazon (see full breakdown).

Much of that result is skewed towards MySQL, of which there are an order of magnitude more servers than the other databases. The other engines show a larger concentration in a small number of networks. Just over 20% of MSSQL and 30% of PostgreSQL servers are hosted by the Polish provider home.pl. Beyond home.pl, we see a large number of servers in popular cloud providers like Amazon, Azure, Hetzer, and OVH. There also is a noticeable skew towards many Asian networks. For example, around 20% of the Microsoft SQL Servers and 30% of Oracle servers online are located in China and Korea. However, while many of the servers are in popular providers, there are tens of thousands other networks that contain one or two servers, and are likely equally worrisome.

To track database exposure going forward, we’re releasing a real-time dashboard Relational Database Exposure Report, which shows live data about the exposure of relational databases.

Check Your Network for Exposure

While some of these servers may be intentionally Internet connected, we suspect that many are not. It’s best practice to not have database servers publicly accessible. You can check for databases that have been exposed on your own network by searching for the tag database.

We’ve provided a tool below to check your network prefix for any servers:

About Censys, Inc.

Censys is an Ann Arbor-based information security company that helps organizations secure their network perimeter by continually monitoring all Internet-connected hosts. Censys indexes devices and services by performing billions of network handshakes and DNS lookups per hour. This perspective uncovers unknown assets and provides actionable security insight to organizations of all sizes. Censys also provides global data to threat hunters, penetration testers, and the broader research community. [more information]

Love security and playing with data? Censys is hiring several software engineers for full-time positions. See https://censys.io/careers for more information.

1 Verizon DBIR 2018: "Errors were at the heart of almost one in five (17%) breaches. […] Misconfigurations, notably unsecured databases, as well as publishing errors were also prevalent."

2 Of the 4.7M MySQL servers, 2.4M do not allow Internet logins, either returning a Host not Privileged or Host Blocked error. While we applaud operators limiting access to specific IPs, we would encourage these users to block any access to these servers. We do not attempt to login into any server that we find online, but we expect that the other 2.3M allow Internet logins.