Anyone have an idea how to get HE/ShadowServer,org servers to stop
attempting to penetrate the comcast drop at my house?
Their website claims altruism.. but my logs dont support that claim.
Scott
I have no connection with Shadowserver, and no idea what you’re actually seeing or whether it represents a misconfiguration or bad idea on Shadowserver’s part or not.
But as someone who frequently receives brief outraged emails from people who have discovered my insidious plot to infiltrate their recursive nameservers with packets from port 53, I find that sometimes if people use more words to explain what they’re seeing, they find that it isn’t what they at first thought it was.
So, using more words, what specifically are you observing, that leads you to believe that Shadowserver is attempting to penetrate your home network?
-Bill
Scott,
Did you look at:
https://www.shadowserver.org/what-we-do/network-reporting/dns-open-resolvers-report/
https://scan.shadowserver.org/dns/
If you still think they are penetrating you see their section of blocklisting:
To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is blocklisted will be publicly available here: https://scan.shadowserver.org/dns/exclude.html
Regards,
Hank
Shadowserver is constantly doing all kinds of port scanning and penetration attempts globally, have been for many years.
On a residential connection as you describe, have something in place that drops anything from them, and move on with your day.
In theory (at least), your ISP asked for it.
Thanks,
Shadowserver is constantly doing all kinds of port scanning and penetration attempts globally, have been for many years.
They conduct probes and queries that are basically routine
communications against IP Address Port pairs that have been routed on
the public internet. There is nothing I have seen / No evidence of
shadowserver specifcally ever conducting a penetration attempt or
other actual abuse, such as attempting to gain access to computers or
data beyond reports on publicly-accessible services would be, but
please do show more details if that could be the case now..
There are many parties who do scans and send basic queries for reasons
that have nothing to do with penetrating or attempting to penetrate
anything -- those are just queries. For example DNS query to port 53,
in order to detect hosts that have a level of service open to the
public like Open Resolvers, which service does not meet current
standard, or is a subset of hosts presenting a high risk to other
networks, so that info. can be communicated to ISPs and upstream
providers to mitigate.
It appears to be opt-out. I don't think his ISP asked for it at all. His ISP just hasn't asked them to stop.
I thought I’d add because it seems relevant and this is a pet peeve of my own, but with some notable exceptions-- anymore you can more or less think of a port scan as generally being a network diagnostic of some sort. Most of the stuff that says its a precursor to an attack is outdated and stems from a time period when compromises were a mostly server side affair. Anymore, particularly in the majority of major unix services, the code bases have long been settled and the more serious vulnerabilities have largely worked themselves out. Most attacks anymore take one of two forms, one being client-side attacks (e.g. Office or a browser or similar) and the other being web application vulnerabilities-- neither of which fit the traditional model of port scan followed by an attack.
There are notable exceptions, people still widely try to brute force SSH and scan for it, there will likely always be spammers seeking out open relays and people widely scan HTTP related ports looking for known vulnerable applications, but those don’t really fit the same model. Thus, for the most part, with some notable exceptions, when you see a port scan unless there is something specific that screams attack you should think of it as someone doing some form of diagnostic.
If you’re seeing someone probing DNS, its probably in the single digit percentages that its anything but a diagnostic.
YMMV of course, but it’s a pet peeve because a lot of the trainings and such still retain the notion that this is frequently a precursor.
What is the difference between shodan.io and shadowserver.org ?
In what regard? Both of those conduct frequent scans of the IPv4
internet. Neither of them attacks nor penetrates. The former may be
a more tailored scan.
Shodan's a for-profit site that provides access to general data from
their scans about any hosts/networks on the internet to anybody who
wants to search their data and pays for a subscription.
Shadowserver's a non-profit.. cost $0 for the ISP to subscribe to
their reports, that generates reports on certain issues specifically
against botnets, malware, DDoS risks; they distribute to the IP block
owners on need-to-know.
At least in theory, for the former anyone that pays for the service (or
employs free credit) has access to the scan data, whereas for the
later, only the responsible organization for the network prefixes get
the scan results.
Thanks,
I'd say my public facing servers are under constant attack of some level of utility.
Ie. my honeypot email servers collect 100k+ connections a day each,
that don't have any MX pointing to them, their only sin is being up and
listening to port 25. They can't process a single email in or out.
My web servers have a constant barage of accesses that aren't hitting
valid URIs. Sometimes they hit on some pattern that starts forming a
small DoS on them and I have to go block or auto-block them.
The white-hat scanners like Shodan or Shadowserver are a small drop in
the bucket compared to the malicious scans that constantly are going
on. Perhaps it is easier to find Shodan or Shadowserver as they are
fairly consistant and easily identifiable, vs. the constant E2C or
other fly-by-night cloud services being abused.
…the way I know to check if my DNS, SSH, or SMTP daemons have died and need
to be restarted is if the steady stream of syslog messages from probes suddenly
goes quiet.
I thought it was rather nice of the Internet to provide 24/7 distributed service
availability monitoring for me. No more having to pay Keynote to poke my
ports every 15 minutes! 
Matt