My next class:

Port Scanners: The Good and The Bad

Published: 2015-09-04. Last Updated: 2015-09-04 13:38:21 UTC
by Xavier Mertens (Version: 1)
10 comment(s)

Every morning, while drinking coffee, one of my daily task is to keep an eye on my logs. Keeping logs is critical to help you to investigate incidents and, sometimes, to prevent some of them. That's why I'm collecting a huge amount of data. Besides miscellaneous tools and scripts, I'm receiving a daily overview of my firewalls traffic via a DShield report. Every days, I see that IP addresses are scanning my network. Today, I went deeper and tried to get the good and the bad from this report. The firewalls protect classic devices and applications (home network, collocated servers, websites and other public services). 

Port scanning is an activity that has always induced debates. The classic question is: "Do we have to take care about port scans?". I already had discussions with peers about this topic and different point of views are always defended. Some people argue that port scanning is a normal activity and it will never decrease. For them, creating incidents related to port scans is way too much time consuming. Others are feeling offended and track them continuously.

Even if you don't track them, port scans must be logged because they can be part of a reconnaissance phase and be followed by a much deeper attack against your infrastructure. It could be useful to use them later as evidences. So, the next question is: can we reduce the noise and filter good VS. bad port scanners?

They are official port scanners operated by companies, non-profit organizations or security researchers. Some examples on top of my list:

  • SHODAN (identified with PTR records: xxxxxx.shodan.io)
  • ShadowServer project (identified with PTR records: scan-xxx.shadowserver.org)
  • Rapid7's Sonar project (IP range: 71.6.216.32/27)

Do you know other Internet scanners like these? Feel free to share them.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
10 comment(s)
My next class:

Comments

GRC's "Shields Up" port scanner does tcp 1-1024.
>>They are official port scanners operated by companies, non-profit organizations or security researchers

If I go around testing that all my neighbours doors are locked and then document the unlocked ones, then post the unlocked ones (with addresses ) on my neighbourhood local notice board (where all the druggies hang out) the cops will pay me a visit in no time. I am sure if I say that I am the local "official" locked door tester, that will make it okay...

Who made Shodan, ShadowServer and Rapid 7 the official ones or are they just community vigilantes?
I am with the lazy crowd that says that port scanning is common.

Rather than investigate every single scan, I would rather secure my servers by closing all unnecessary ports from the internet. Why expose remote admin ports (RDP, SSH, VNC) and non-necessary services (NTP, SNMP, UPNP)? The former is an invitation for others to "pick your lock", the latter are good candidates for reflection attacks. If you need the remote administration, secure them by say limiting access to specific IPs, VPN or port knocking.

Web application scanners are another matter. These are usually generic scanners that search for insecure web apps (e.g. ZeMu for phpMyAdmin). Or you may get targetted VA web scans, SQL injection scans and sometimes the periodic web health check from an unknown party's Nagios NMS installation. This indicates that someone is interested in your servers.
This morning I found another one: http://plcscan.org/blog/.
Steve Gibson @ GRC Systems runs a Port Scanner, ShieldsUp!, so users can test their home or business 'Net connection so check for open/closed/stealthy ports.

However you can't use it to test ports any public IP address other than one you're using.
"Rather than investigate every single scan, I would rather secure my servers by closing all unnecessary ports from the internet."

That's the problem with these "services". The organizations that are doing their jobs are the ones least likely to be negatively affected by these scans. The ones that don't care or don't know to care are the ones that will be negatively affected by these "services" doing the attacker's initial recon work for them.

IMHO they are no different than accomplices "casing the joint" before the actual break-in.

"No, judge. I'm not an accomplice. I'm a physical security researcher."
@Peter P:

(OPEN) ports are neither closed nor locked doors, but like open doors which invite ANY bypasser to enter.
If you dont want to enter any (unauthorized or uninvited) bypasser, then shut and lock your doors.

JFTR: if you leave your car with unlocked doors on the street the police might seize your car to prevent damage (not only to your car, but other innocent people which may get run over with your car by anybody who can take it away) and get after you because you did not properly secure your vehicle.
Have seen several in addition to the ones noted.

Had to wait a day and received http://researchscan297.eecs.umich.edu/.
1. Grep all probes to closed ports from a month worth of logs.
2. Make list with unique IPs and do reverse lookups on all of them.
3. ????
4. PROFIT

Step 3 actually involved sifting through 3000 hostnames and resulted in this list of companies and universities that believably look like they’re just probing and aren’t trying to break in.

38.229.1.13 cymru.com
38.229.33.47 cymru.com
66.240.192.138 shodan.io
66.240.236.119 shodan.io
71.6.135.131 shodan.io
71.6.165.200 shodan.io
71.6.167.142 shodan.io
71.6.216.32/27 rapid7.com
74.82.47.0/26 shadowserver.org
82.221.105.6 shodan.io
82.221.105.7 shodan.io
85.25.43.94 shodan.io
85.25.103.50 shodan.io
93.120.27.62 shodan.io
95.215.9.222 netscan.lekus.su
128.232.18.57 cam.ac.uk
128.232.110.28 cam.ac.uk
134.147.203.112/28 syssec.ruhr-uni-bochum.de
137.226.113.0/29 comsys.rwth-aachen.de
141.212.121.0/24 eecs.umich.edu
141.212.122.0/24 eecs.umich.edu
169.229.3.88/29 eecs.berkeley.edu
184.105.139.64/26 shadowserver.org
184.105.247.192/26 shadowserver.org
188.138.9.50 shodan.io
198.20.69.72/29 shodan.io
198.20.69.96/29 shodan.io
198.20.70.112/29 shodan.io
198.20.99.128/29 shodan.io
198.48.92.104 cs.washington.edu
204.42.253.2 openresolverproject.org
204.42.253.130 openSNMPproject.org
204.42.253.131 openNTPproject.org
204.42.253.132 openSSDPproject.org
204.42.254.5 openresolverproject.org
209.126.230.64/28 erratasec.com
216.218.206.64/26 shadowserver.org

Have fun - no warranties - use at your own risk. :)
Further details on 141.212.121/24 and 141.212.122.0/24:
Those are related to the UMich Internet-Wide Scan Data Repository at https://scans.io/ and the ZMap team at https://zmap.io/. Just mailed one of the researchers - Zakir Durumeric.

As soon as I saw the address I thought of those guys. I wonder how many organizations are duplicating each others work?

Diary Archives