What's the deal with openportstats.com?

Published: 2020-12-21. Last Updated: 2020-12-22 14:56:59 UTC
by Rick Wanner (Version: 2)
4 comment(s)

Over the last few months a few groups I am involved with have been discussing openportstats.com.  They first came to my attention in May of 2020. At that time a number of ISPs indicated attempted DOS by IPs in Russia (ASN202425).  The volume of traffic was not really big enough to do any harm, but in some cases the volume of network traffic was causing issues for some devices and causing congestion on some low speed links.

In July the traffic reappeared. 

One firewall was showing 330,000 blocked port scan events an hour. With some free time for research, the path led to the website openportstats.com, a website hosted in France, and purporting to be IoT researchers.  In fact in late July the ISC added openportstats to our list of known researchers. 

Starting in September, the scans became almost continuous.

I recently attempted to contact them using the two email addresses listed on their website, and both emails were returned "server not available". 

I am all for supporting security research, but none of the other various scanners and crawlers which contribute to the background noise of the Internet are causing the level of impact openportstats.com is.  Their scans are clumsy and overly aggressive and given my lack of luck attempting to contact them I am having to question the legitimacy of these researchers and their research.  

If you have also experienced impact from their scans, or know anyone associated with openportstats.com, I would love to hear about it via comments on this diary or through our contact page.

 

Update:  A reader pointed out that the IPs are not actually in Russia, but rather in the Netherlands.  Some of the IP ranges are registered to Russian IP addresses, but  AS204655 and AS202425 are both hosted near Amsterdam by  IP Volume Inc which is formerly known as Ecatel.  Ecatel and its progeny have a somewhat notorious history.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
4 comment(s)

Comments

Apparently, GreyNoise revoked the benign tag for OpenPortStats[.]com on May 16, 2019, cf. https://twitter.com/GreyNoiseIO/status/1129017971135995904
What IP (or range) are the scans coming from? It's not clear from the post. Update: I'm definitely seeing traffic from those IPs. 200+ packets so far today. Not much impact though. My router is rejecting most of it.
I stumbled across that in my research. I also found this entry suggesting malicious activity... https://seclists.org/nanog/2019/Jun/295.
Unfortunately neither of those articles were big on details, so it was difficult to quantify if they are up to something or if this is just coincidence. Badness happens all the time on the Internet. I did want to call them out, but wasn't going to acuse them of malicious activity without quantifiable proof.
They have moved around some, although for the most part staying in AS202425. The July range was 185.176.26.0 - 185.176.27.255. typically they have DNS entries for scanner.openporsts.com. As of last week those were pointing at the following IP ranges:
185.216.140.0/23 - AS204655
80.82.64.0/24 - AS202425
80.82.65.0/24 - AS202425
80.82.70.0/24 - AS202425
80.82.77.0/24 - AS202425
80.82.78.0/24 - AS202425
89.248.160.0/24 - AS202425
89.248.162.0/24 - AS202425
89.248.167.0/24 - AS202425
89.248.168.0/24 - AS202425
89.248.169.0/24 - AS202425
89.248.170.0/24 - AS202425
89.248.171.0/24 - AS202425
89.248.172.0/24 - AS202425
89.248.174.0/24 - AS202425
93.174.93.0/24 - AS202425
93.174.95.0/24 - AS202425
94.102.49.0/24 - AS202425
94.102.50.0/24 - AS202425
94.102.51.0/24 - AS202425
94.102.52.0/24 - AS202425
94.102.53.0/24 - AS202425
94.102.56.0/24 - AS202425
94.102.57.0/24 - AS202425

Diary Archives