Wish I still had that email from them where person “possibly not speaking for the company” stated that "they scan the entire internet for vulns and other nefarious things.
Where I stated “don’t care get your unwanted advertisement scans off my edge, if I want you in the future I know where to find you”. And he kept beating around the bush.
Well, it is more like the guy who comes once a year and checks that your central heating is not going to blow up.
(Disclaimer: I have supervised students who designed and executed benign mass-scans of the IPv4 Internet in order to validate hypotheses about market penetration of certain security updates, and I definitely would do that again if there is a good reason to perform such a scan.)
Grüße, Carsten
Some national government infrastructure protection organizations will
relay notifications to local provider networks (e.g., abuse@) based
on reputable third party surveyors (aka network scanner operators). I
think it is safe to assume this is generally done as a public service,
but perhaps with some mandates to measure and minimize risk within a
country's borders.
Most providers will usually convey the notification is fairly strong
language, usually demanding some sort of response and if applicable,
remediation. The reports can contain false positives (e.g., when
scanners cannot differentiate between vulnerable systems and honeypots).
It isn't always clear based on the relayed reports who is running the
scans, but in my experience Shadowserver is the most widely used and
cited. There are of course lots of others running scans. Commercially,
Greynoise tracks many of them. A research-based tracker is also
available here:
<Michael Collins / Acknowledged Scanners · GitLab>
John
If there were a few hundred people with nefarious intent trying to open your
doors and windows every night, someone doing the same thing with altruistic
intent might not be such a bad thing.
- Matt
Matt Palmer wrote:
Hi, Ronald,
I would like to solicit the opinions of network operators on the practice
of scanning all of, or large chunks of the internet for known vulnerabilities.
Note: What's most usually done out there is scanning for ports, rather than for vulnerabilities.
That said, as noted by others, ports scans are kind of part of the echo system.
A vast number of them can be blocked proactively by e.g., feeding block-lists (e.g. abuseipdb's) dynamically into your firewalls' rulesets.
In earlier times, this was generally viewed as being distinctly anti-social
behavior, but perhaps attitudes have changed relative to earlier eras.
I would thus like to know how people feel about it now, in 2022.
At the end of the day, the folks you should most likely be concerned about are the folks that won't even care about whether this is unsocial behavior.
For low-volume traffic, you can probably filter it out as discussed above, and, other than the possible noise, the scans shouldn't cause harm anyway (and if e.g. an IPv6 host scan is causing you neighbor cache exhaustion problems... that's an issue you need to deal with, anyway).
What's left probably falls into the DoS-like category... but is normally more targetted than sent to random networks/whole Internet.
Thanks,
When I lock the doors etc to my home I'll often mutter "ya know, if
someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the
main drag's door was unlocked late one night walking home (this was in
NYC.)
I saw a cop and told him and he scolded me angrily for rattling door
knobs, I could be arrested for that! But verified it, looked around
inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores'
door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
Barry -
There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet…
If you call the police because someone is creeping around your property checking doors and windows for
possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly
not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many
jurisdictions to satisfy the “breaking the seal of the property” premise and warrant charging under breaking
and entering statues.)Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb
over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at
the windows.If/when you find a digital culprit creeping around inside the home, your best option is burn down the place
and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g.,
a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your
kids use equal care.“Best practice” for handling these situations on the Internet is effectively to cope as best you can despite
being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you
that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint
at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just
blocking their last known website/mail server/botnet and the wishing for the best…
Enjoy your Internet!
/John
Disclaimers: My views alone - use, reuse, or discard as desired.
This message made of 100% recycled electrons.
Hi,
While it's possible to have a discussion on the topic, I think that the only safe bet is that, when connected to the Internet, you'll definitely be subject to scanning.
I doubt there's much you want to do at a SOC about it unless it's a recurring situation involving a somewhat big traffic load -- in which case, you'd probably handle it as you'd do with a DoS attack.
Scans of one sort of another happen way to often to bother (or to afford to bother, if you wish) -- for instance, just a few days ago I was setting up an imap server, and happened to find the service being scanned by censys in terms of hours. For regular mass scans, you can normally block them proactively, via a number of feeds (abuseipdb, dshield, and others), if you find them as a nuissance or don't want to show up in the scanner's results.
As for targetted scans, the only safe bet is that you *will* be targetted. So... keep the windows and doors locked. And, better, check if they actually are locked regularly.
Thanks,
Fernando
Barry -
>
>
> There is indeed a metaphor to your “rattling doorknobs", but it’s not
> pretty when it comes to the Internet…
>
> If you call the police because someone is creeping around your property
> checking doors and windows for
> possible entry, then they will indeed come out and attempt to arrest the
> perpetrator (I am most certainly
> not a lawyer, but as I understand it even the act of opening an unlocked
> window or door is sufficient in many
> jurisdictions to satisfy the “breaking the seal of the property” premise
One can find a lot of articles and court decisions which amount to no,
the police have no such obligation despite people's strong belief that
they do:
https://mises.org/power-market/police-have-no-duty-protect-you-federal-court-affirms-yet-again
Town of Castle Rock v. Gonzales - Wikipedia
(not even if you have a restraining order against the person)
etc.
They do have an obligation to protect someone when they are in their
custody but that's about it.
The recent behavior of the Uvalde police standing around while
children were being shot may not have been their proudest moment but
they violated nothing by doing so.
https://www.thenation.com/article/society/uvalde-police-supreme-court/
So let's try to extrapolate that to the internet and LEOs...good luck!
Barry -
I did not say “obligation” - enforcement of laws is always modulated by local factors
(just look at the formal decision not to prosecute “minor” crimes in some cities) -
but rather said that police will pursue in many jurisdictions. This is particularly true
in cases where the perpetrator is still on the premises to be taken into custody.
Yes, there are indeed places in the physical world where legal recourse against a
perpetrator is becoming less likely (just as it is on the Internet); this is particularly
disappointing given that legal recourse is recognized as a basic human right.
Thanks,
/John
Disclaimers: my views alone. Use/reuse/delete as desired.
Contents may be hot; use caution when handling.
Hi, John:
1) "... i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best… ":
Perhaps it is time for us to consider the "Back to the Future" strategy, i.e., the Internet should practice static IP address like all traditional communication system did?
Regards,
Abe (2022-07-23 22:27 EDT)
Abe -
Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can
still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the
requirements and various related issues.)
Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated
(as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.)
Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue
the attackers to prevent recurrence. This is non-trivial, both because of the skills necessary, the volume of
attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother,
that’s just the way it is…”
With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound.
Thanks,
/John
Disclaimers: my views alone – no one else would claim them. Feel free to use/reuse/discard as you see fit.
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However,
A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless.
B\. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful\. In fact, this would penalize the innocent users who happen to be on the same implied "system"\.
C\. In addition, for your “whack\-a\-mole” metaphor, the party in charge is the mole, not the party with the mallet\. It is a losing game for the mallet right from the beginning\.
So, the current Internet practices put us way behind the starting line even before the game\. Overall, this environment is favored by multi\-national businesses with perpetrators riding along in the background\. When security is breached, there are more than enough excuses to point the finger to\. No wonder the outcome has always been disappointing for the general public\.
2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations.
Regards,
Abe (2022-07-24 10:19 EDT)
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However,
A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless.
Abe -
That’s correct - but that does not require having static addresses to accomplish (as you postulated earlier),
rather it just requires having appropriately functioning logging apparatus.
B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system".
Yes, it is quite obvious that a degree of care is necessary.
C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning.
As with all enforcement, it is a question on changing to breakeven point calculation on incentives & risks
for the would be perpetrators, and presently there’s almost nearly no risk involved.
So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been disappointing for the general public.
Indeed.
2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations.
That’s one possible approach, although before becoming too enamored with it, it is probably worth remembering]
that the “traditional communication systems” have also suffered from similar exploits occasion (they’ve been fewer
in number, but then again, the number of connected devices was also several orders of magnitude smaller.)
Thanks,
/John
Disclaimer: my views alone – use caution - contents may be hot!
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However,
A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless.
The same is true for statically assigned addresses, unless you're proposing that ISPs be forced to preemptively divulge all customer data to law enforcement and keep that data updated in real time. At least in the US, this would almost certainly be ruled an unconstitutional search.
It also fails to address the CGNAT scenarios often required to provide IPv4 Internet access at all.
B\. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful\. In fact, this would penalize the innocent users who happen to be on the same implied "system"\.
"System" isn't implied. It would be the AS and assigned CIDR block from the RIR.
C\. In addition, for your “whack\-a\-mole” metaphor, the party in charge is the mole, not the party with the mallet\. It is a losing game for the mallet right from the beginning\.
The party in charge (ISP) is the programmer of the game that also holds the records of where the mole has been historically. With the proper warrant, law enforcement can get those records. It matters not whether the IP is static, dynamic, or part of a CGNAT pool.
So, the current Internet practices put us way behind the starting line even before the game\. Overall, this environment is favored by multi\-national businesses with perpetrators riding along in the background\. When security is breached, there are more than enough excuses to point the finger to\.
Overall, this environment is favored by most users of the Internet that don't want law enforcement to be handed yet another virtual wiretap by their ISP. It's also required in many cases to provide IPv4 Internet access at all, as there aren't enough static addresses to go around.
No wonder the outcome has always been disappointing for the general public.
I disagree that the general public is disappointed. No one I know wants yet more agencies tracking them on the Internet, particularly agencies employing people with guns and the ability to throw them in jail.
Hi, John:
0) Thanks for sharing your thoughts. The IoT identification (IP address) versus privacy is a rather convoluted topic. It can quickly get distracted and diluted if we look at it by piecemeal. Allow me to go through an overview to convey my logic.
1) It is true that a dynamic IoT identification is harder to track down than a static one, thus providing some sense of privacy or security, theoretically. This went well with the need for dynamic practice due to the limited IPv4 address pool. So, this idea sank deep into most people's mind as inherent for the Internet.
2) It turned out that there were many ways (as you eluded to) to track down an IoT even with a dynamic address. There was a classical research paper that outlined various techniques to do so:
To save your time, I extracted part of its conclusions as below:
"6 Concluding Remarks ... while some commercial organizations have claimed that they can do it with 99% accuracy. … It’s meant for the 99 percent of the general public who are just at home surfing. … We note that even if accurate IP geolocation is possible for 99% of IP addresses, if the remaining 1% is fixed and predictable by an adversary, and such that the adversary can place themselves within this subspace, then they can evade geolocation 100% of the time. …"
We do not need to check its validity quantitatively, today, because technology has advanced a lot. However, it is probably still pretty accurate qualitatively, judging by how successful "targeted marketing" is, while how hard various perpetrators may be identified, not to mention physically locating one.
3) As long as the general public embrace the Internet technologists' promise of privacy by dynamic addressing, however, the LE (Law Enforcement) agencies have the excuse for exercising mass surveillance that scoops up everything possible from the Internet for offline analysis. Big businesses have been doing the same under the same cover. So, most people end up without privacy anyway. (Remember the news that German Chancellor's phone call was somehow picked up by the NSA of US? For anyone with a little imagination, it was a clear hint for the tip of an iceberg.).
4) Static communication terminal (IoT) identification practice will remove a significant number of entities (the 99%) from LE's monitor operation, enabling them to focus on the 1% as well as requiring them to submit justification for court order before doing so. The last part has disappeared under the Internet environment. See URL below for an example. The static IP address practice will simplify the whole game. That is, the LEs can do their job easier, while the general public will get the legally protected privacy back.
Federal court upholds terrorism conviction in mass surveillance case
Regards,
Abe (2022-07-27 23:28 EDT)