Update: Researchers scanning the Internet

Published: 2023-08-07. Last Updated: 2023-08-07 20:30:47 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

We have been tracking researchers scanning the Internet for open ports or vulnerabilities for a few years. These groups often show up in our "top 10" lists. We do not make any general recommendations to block these IPs but we want to give you the information you need to make this decision for your network.

First, let's talk about what we consider a "researcher". We consider organizations that scan the internet for open ports or vulnerabilities without exploiting these vulnerabilities. This does not just include academic researchers. We do consider commercial entities part of this group (for example, Shodan being the most prominent one, in my opinion). We have very little information for some entities and essentially take their word for not being malicious.

Our API is the easiest way to obtain a list of current "research" IP addresses. See:

https://isc.sans.edu/api/threatcategory/research (not making this a link on purpose. Please read our introduction to our API first: https://isc.sans.edu/api ). Currently, about 28,000 IPs are part of that list, and we track 30 different entities (not all of them are active)

But the category labels are a bit cryptic, so I am explaining them more here. I am using quotes from their website to describe the service as much as possible.

Please note: Before starting your own effort to scan the internet for "vulnerability X": Please first reach out to the groups below and try to collaborate.

Label # of IPs Last Seen
adscore

"ADSCORE’s mission is to categorize web traffic that is organically generated or purchased by your business. It detects the following categories of traffic: human, proxy, low quality (obsolete device and/or browser) and of course, bots."

46 2023-08-06

alphastrikelabs

"Governmental Agencies, national CERTs and Security Teams use our Cyber OSINT platform to identify systems which are exposed on the internet and to analyze how widespread new types of vulnerabilities are."

1025 2023-08-07

arbor

Arbor (used to be https://www.arbor-observatory.com/) is now part of Netscout. "The NETSCOUT Threat Intelligence Team's Internet Safety Initiative works to non-intrusively identify systems & services which may be abused by adversaries to launch DDoS attacks. Analysis of the collected data allows us to proactively defend against attacks leveraging any abusable systems. That is the sole focus of this initiative."

257 2023-08-07

binaryedge

"We scan the entire public internet, create real-time threat intelligence streams, and reports that show the exposure of what is connected to the Internet. What is your Internet Attack Surface?"

9222 2023-08-06

blindferret

no details available

4 2023-08-07

censys

"Censys partners with both the private and public sectors to provide the most accurate internet intelligence data available, so teams can uncover risks and take down threats at scale."

3073 2023-08-07

cybergreen

"The CyberGreen Institute is a 501(c)(3) non-profit organization based in New York that conducts and supports research to establish a science of Cyber Public Health. CyberGreen is a trusted player following transparent methods of identifying sources of risk and best practices for the community. We are committed to evidence-driven metrics and measurements. We welcome collaboration on all fronts. Please contact us to learn more about our organization and how you can be involved with our mission."

3 2023-08-07

erratasec

"Errata Security is a team of dedicated security researchers that practice offensive security. The insight gained from research is delivered to clients through Hacker Eye View reports that cover a variety of topics and real world scenarios."

6 2023-08-07

expanse

"Cortex Expanse" is operated by Palo Alto Networks. "Automatically, continuously scan the entire internet. Actively discover and index your unknown risks in all connected systems and exposed services."

942 2023-08-06

gdnplus

"GDNP layers proprietary and third-party data sets to provide cutting-edge internet research to customers. Our work helps institutions and companies solve data science, business intelligence, and security problems"

57 2023-08-02

internetcensus

"Internet Census Group seeks to analyze trends and benchmark security performance across a broad range of industries.?? We are committed to the education and long-term improvement of security practices across the Internet to provide an ever-stronger defense against the threat of security attacks.??

The Internet Census Group is led by BitSight Technologies, Inc. and we encourage organizations from industry, government or academia that would like to collaborate on security projects to contact us."

668 2023-08-06

internetmeasurement

"This domain is operated by driftnet.io. It is used to discover and measure services that network owners and operators have publicly exposed. Traffic from this domain is not an attack. Traffic from this domain will never attempt to log in to your systems. Spam is not sent from this domain. SPF, DKIM and DMARC records mark internet-measurement.com as completely unable to send email."

359 2023-08-06

ipip

no details available

210 2023-08-07

leakix

"This project goes around the Internet and finds services to index them. We have gather information on the Internet on the most common security misconfiguration currently open. We intend to provide a platform to fix misconfigurations leading to leaks and security issues by bridging the source, CERTs, hosting companies and researchers to solve the problem."

153 2023-08-07

netsystems

no details available

1281 2023-08-07

normshield (now known as Black Kite)

"Our deep insights help you ease the stress of cyber ecosystem risk management. We do this by giving you more than a risk score. Our automated system provides real-time and accurate risk intelligence. Our data is accurate, reliable and detailed so you can improve business resilience by making informed risk decisions across your entire ever-changing cyber ecosystem."

257 2023-08-07

onyphe

"We scan the Internet (and the Dark Web) in a net-neutral manner. That means we scan every exposed assets and your View won't be limited to yours. We even scan the one you are not aware of..."

130 2023-08-06

openportstats

"Welcome to the automatic IoT scanner. We collect statistics about connected devices. You can see information about connected devices to your IP here."

513 2023-08-07

project25499

"The objective of Project 25499 is to leverage internet wide scanning to responsibly identify to scope of vulnerabilities as well as provide researchers with resources needed to combat malice."

3 2023-08-02

qrator

DDoS protection platform

1025 2023-08-07

qualys

Vulnerability scanning service

88 2023-08-07

rapid7sonar

"Project Sonar started in September of 2013 with the goal of improving security through the active analysis of public networks. While the first few months focused almost entirely on SSL, DNS, and HTTP enumeration, the discoveries and insights derived from these datasets, especially around the identification of systems unknown to IT teams, led to the expansion of Project Sonar to include the scanning of UDP services."

417 2023-08-07

scanopticon

".. free and public intelligence gathering service. ... We catalog and fingerprint services in order to track the flow of malware.
When we detect such activity, we make every effort to report it to the appropriate person."

3 2023-08-06

scorecard

SecurityScoreguard assigns organizations a "security score" similar to a credit score. The internet-wide scans are used as part of that score.

21 2023-08-07

shadowserver

"We collect vast amounts of threat data, send tens of thousands of free daily remediation reports, and cultivate strong reciprocal relationships with network providers, national governments and law enforcement. We bring malicious activities and abusable vulnerabilities out of the shadows, expedite their remediation and help to better secure the Internet."

561 2023-08-07

shodan

"Shodan gathers information about all devices directly connected to the Internet. If a device is directly hooked up to the Internet then Shodan queries it for various publicly-available information. The types of devices that are indexed can vary tremendously: ranging from small desktops up to nuclear power plants and everything in between."

68 2023-08-07

spyse

The spyse.com website appears to be down right now, but the scanners are still active. For some discussion about Spyse, see https://hackernoon.com/spyse-introduction-cybersecurity-search-engine-for-data-gathering-90763wz8

231 2023-08-06

stretchoid

"Stretchoid is a platform that helps identify an organization's online services." (I recently saw a website providing access to the data collected by Stretchoid, but forgot to write down the name).

6646 2023-08-06

univmichigan

University of Michigan research effort

764 2023-08-07

univsydney

University of Syndey research effort

4 2023-08-07

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)
ISC Stormcast For Monday, August 7th, 2023 https://isc.sans.edu/podcastdetail/8604

Comments


Diary Archives