My next class:

Are Internet Scanning Services Good or Bad for You?

Published: 2022-10-19. Last Updated: 2022-10-19 12:12:13 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I'm in Luxembourg to attend the first edition of the CTI Summit[1]. There was an interesting keynote performed by Patrice Auffret[2], the founder of Onyphe, about "Ethical Internet Scanning in 2022". They are plenty of online scanners that work 24x7 to build a map of the Internet. They scan the entire IP addresses space and look for interesting devices, vulnerabilities, etc. Big players are Shodan, Onyphe, Censys, ZoomEye, etc.

Today, scanning is accepted by most network owners and, if you don't agree to be scanned, you've no alternative and have to live with. Welcome to the wild Internet! Personal opinion, if you are still taking care of such scans in 2022, you are putting resources on the wrong threat. Of course, there is a difference between a "simple" scan against your public IP addresses and a complete scan of your web applications (that may reveal an upcoming attack).

If we have to live with this services, they must have an ethic and respect some rules like:

  • Explain the purpose of the scanner on the website
  • Allow to an opt-out ("don't scan me anymore)
  • Provide abuse contacts
  • Provides lists of IP addresses used to scan
  • Implement good & relevant reverse DNS records
  • Handle abuse requests
  • Don’t fuzz, just use standard packets/protocols
  • Scan slowly (no DoS)
  • Use fixed IP addresses (no trashable ones)
  • Remove collected data upon request

The question that arises is: "To scan or not to scan?". Are these scanners useful? The response is "yes". They help to have a better overview of the Internet and, by example, how many devices are affected by a specific specific vulnerability. You must also know that attackers will, anyway, scan you. Why not take some advantages and also use these scanners? Buy an account, use the provided REST API and query information about your domains and our IP addresses. This will give you a better visibility about your footprint ("what you're exposing on the Internet").

If you're interested in detecting these scanners, we provide you a feed with interesting information[3].

[1] https://cti-summit.org
[2] https://twitter.com/patriceauffret
[3] https://isc.sans.edu/api/threatcategory/research/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
My next class:

Comments


Diary Archives