I would like to solicit the opinions of network operators on the practice
of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social
behavior, but perhaps attitudes have changed relative to earlier eras.
I would thus like to know how people feel about it now, in 2022.
Regards,
rfg
P.S. Just to be clear, I personally have neither any desire nor any intent
to undertake such activity myself, nor am I in communiacation with any party
or parties that have such an intent or desire. I cannot however say that I
am unaware of any parties that may currently be involved in such activities.
I know that in Israel the cyber dept of the government scans IL IP space then notifies ISP’s to notify their clients. This helps where you have clueless people that don’t know they have devices that can easily be compromised.
In message <CAM3TTh30V-ibKhSYpCAENuJO_WwS=udtn6T1O+Cv-nh6JbZdVA@mail.gmail.com>
I know that in Israel the cyber dept of the government scans IL IP space
then notifies ISP’s to notify their clients. This helps where you have
clueless people that don’t know they have devices that can easily be
compromised.
That’s most interesting and I certainly did not know that.
Do you have confidence that such scanning is limited to Israeli IP addresses?
Not at all. I think it’s obvious that every nation state “pokes around” the internet.
Are there any private firms that you are aware of in Israel that engage in
such scanning also?
I don’t know who is doing it. I just know that IL Cert contacted our parent company which has an ISP in Israel when things were “hot”.
Also Germany and Estonia, they scan DE and EE IPs and send emails to ISPs every day.
Correction… shadowserver.org
They scan the entire ipv4 internet daily for select potential vulnerabilities.
Also Germany and Estonia, they scan DE and EE IPs and send emails to
ISPs every day.
being in EE space, never receiving such a notice, and lacking the hubris
to think that all our systems are squeaky clean, i have my doubts.
i suspect that we will be seeing folk who dress well scanning for vulns
more and more as this poorly tended mess rolls on.
randy
greetings.
it should be mentioned that shadowserver also notifies those who register as the owners of that address space.
it’s very useful. (it would be more useful if they calculated diffs and notified about changes/additions.)
my thinking about this sort of thing, in general, is:
-
it depends on who’s doing it and why, and what they do with the information
(so what keeps you from doing it for the benefit of your less clueful downstream customers?)
-
absolutely nothing prevents bad guys from doing it, so discouraging it fits in the category of
“politeness rules only observed by nice people”.
-
it’s polite enough for me for the good guys to identify themselves so you (the target) can worry
less when you notice the activity.
(btw, this reasoning applies also about crawls of content from the wayback machine.)
btw, if you want to do this yourself, you might consider using something like
https://github.com/opsdisk/scantron
Project Sonar from Rapid7 conducts internet-wide surveys and is kind enough to share the data with researchers:
https://www.rapid7.com/research/project-sonar/
Had to send these guys a cease and desist a few years back as they became so noisy it was causing to much of a disconnect between information we were trying to compare.
Can’t for for more idiot services to just jump on the wagon and deploy their own scanners and pollute edges without a just cause.
Personally I don’t care who you are. Probably not hiring your services (free or not), stay off my edge.
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
-mel beckman
In message <CB7990CD-5284-4A9C-BB98-4D55B21B50FF@seiden.com>,
it should be mentioned that shadowserver also notifies those who
register as the owners of that address space.
Yes. That is quite a public spirited endeavor in the best traditions of
the Internet.
my thinking about this sort of thing, in general, is:
- it depends on who's doing it and why, and what they do with the information
Yes. And my question was deliberately open-ended with regards to those
two points, specifically.
Shadowserver is an example of a public-interest enterprise. And unless
I'm mistaken, we can easily know who they are and what they do with the
information they collect.
There are however counter-examples... enterprises that are not quite so
forthright, either in their willingness to be identified or in the disposition
of their results data.
- it's polite enough for me for the good guys to identify
themselves so you (the target) can worry
less when you notice the activity.
I agree. But that that raises the question: How would (or should) a "benign"
scanning enterprise publicly identify itself in a manner so as to mitigate
undue alarm?
Regards,
rfg
I would still consider an uninvited scan of my network antisocial.
Other operators are, of course, free to make their own choices.
Owen
shadow server (to the best of my knowledge) only scans sites that have invited them to do so.
Owen
Yep that’s exactly what that is. While the intention is good, it’s all still unwarranted.