A list of the most frequent scanner IPs identified in this research is available on GitHub. On the other hand, most legitimate scanning service providers – such as Shodan, Censys and Shadowserver – usually use a fixed set of IPs and make their scanners identifiable via explicit user agents or domain names. The high percentage of ephemeral IPs indicates that the majority of the scanners are difficult to track. Among all the scanners we observed, 64% of the IPs appeared only once throughout the four months, while 0.15% of the IPs appeared every day. Samba, Telnet and SSH were the three most scanned services, accounting for 36% of scanning traffic globally. Because not every scanner scans the entire IPv4 address space, the number of scanners observed on each endpoint is lower than the total number of scanners observed globally. On an internet-facing endpoint, we observed 1,500 unique scanner IPs targeting 1,900 ports daily. On average, we identified 75,000 unique scanner IP addresses globally that enumerated more than 9,500 different ports every day. This blog summarizes our findings over a four-month period, from May-August 2021. If a host belonging to a known organization suddenly starts to scan a part of the internet, it is a strong indicator that the host is compromised. By monitoring the origins of the scanners, researchers can also identify compromised endpoints. Tracking network scanning activities can help researchers understand which services are being targeted.
0 Comments
Leave a Reply. |