24 Jan
2023
24 Jan
'23
9:26 p.m.
I was recently seeing a *lot* of scanning traffic from some of these
censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap
like this as an attack yet people and companies think what they are
doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets
are also getting scanned which I don't think is OK. Maybe we can get
their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David
KI6ZHD
24 Jan
24 Jan
9:33 p.m.
I actually thought Censys (and others like Shodan) were already blocked?
Maybe they changed IP ranges. If so, blocking hosts like this may be a concern for
IPs/hosts/ASN reaching us now or in the future.
(Although I don't agree, because when I use such sites, I notice data on my hosts are
missing. Nonetheless, I understand it takes bandwidth from AMPRGW and others.)
73,
- LynwoodKB3VWG
9:40 p.m.
May I add other scanners to this list:
176.111.174.64/26 - changway.hk Chang Way Technologies Co. Limited
185.180.143.0/25 - internet-census.org NSEC - Sistemas Informaticos, S.A.
193.163.125.128/25 - cyber.casa Constantine Cybersecurity Ltd.
On 24/01/2023 23:26, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these
censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap
like this as an attack yet people and companies think what they are
doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets
are also getting scanned which I don't think is OK. Maybe we can get
their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David
KI6ZHD
_______________________________________________
44net mailing list --44net(a)mailman.ampr.org
To unsubscribe send an email to44net-leave(a)mailman.ampr.org
9:49 p.m.
Did anything bad happen? If not, then. No big deal. Many sites, probably tens of thousands
scan throughout the Internet continuously. Life in the big city.
—
Dave K9DC, K9IP
On Jan 24, 2023, at 16:26, David Ranch via 44net
<44net(a)mailman.ampr.org> wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com
IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and
companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other
AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get
their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David
KI6ZHD
9:51 p.m.
It is relatively easy to autoblock such scanners at a gateway due to the large address
space that we have, and its relatively sparse use.
Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a
scanner.
Rob
On 1/24/23 22:26, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com
IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and
companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other
AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get
their subnets BLOCKED at the UCSD Internet gateway?
10:26 p.m.
As someone who uses censys scans a lot when doing research, I'd be very
sad to see more networks blocking censys (or wasting effort blocking
port scans in general). I'm in network security and I don't bother to
block these, even. Unless it's actually interfering in some way with
your operations, it is completely harmless and allows us to answer
questions about what kinds of things people are doing with the Internet.
On 2023-01-24 13:51, Rob PE1CHL via 44net wrote:
It is relatively easy to autoblock such scanners at a
gateway due to
the large address space that we have, and its relatively sparse use.
Once you notice a lot of incoming traffic on unallocated subnets, you
know it is from a scanner.
Rob
On 1/24/23 22:26, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these
censys-scanner.com IPs on my AMPR subnet. Personally, I consider
crap like this as an attack yet people and companies think what they
are doing is completely OK. Grrrr.. I imagine a lot of other AMPR
subnets are also getting scanned which I don't think is OK. Maybe we
can get their subnets BLOCKED at the UCSD Internet gateway?
_______________________________________________
44net mailing list --44net(a)mailman.ampr.org
To unsubscribe send an email to44net-leave(a)mailman.ampr.org 
10:41 p.m.
On Tue, 24 Jan 2023, Falcon Darkstar Momot via 44net wrote:
As someone who uses censys scans a lot when doing
research, I'd be very
sad to see more networks blocking censys (or wasting effort blocking
port scans in general).
They ALL need to lift their game IMO.
Unless it's actually interfering in some way with
your operations,
That's not the point.
it is completely harmless
It is not "completely harmless".
and allows us to answer questions about what
kinds of things people are doing with the Internet.
And that's not enough justification.
I consider these scans to be "electronic tresspass".
I'm sure we all like having access to google maps to find things and
navigate.
I'm sure many of us like using streetview from time to time.
I'm also sure most of us here use these for legitimate, reasonable,
intended uses.
How about when a bunch of people turn up at your house with cameras,
mapping equipment, LIDAR, drones, thermal cameras and go traipsing through
your yard, poking in windows etc seeing "what stuff you've got"?
Oh, I'm sure it'd "useful" information - trying to work out what your
insurance premiums should be, or how wealthy your suburb is, or how good
your homes insulation is etc, but damn, it's more than a little bit rude
and obtrusive, utterly regardless of any "benefits" (real or perceived).
Scanners are the same. What gives them the right to probe every port and
every protocol for every IP address I've got? NONE, that's what.
And as to "does no harm" - I have lots of VERY low power microcontrollers
that have a need to be reached by arbitary devices "out there" on the
internet, but which have no capacity to be bombarded by dozens of packets
a second, much less the hundreds or thousands per second I've seen from
SOME scanners. And yes, it DOES do harm. These poor little things either
shut down, or run out of stored power, or stop responding to LEGITIMATE
requests because they're overwhelmed with unwanted and unauthorised
"hostile" traffic.
Perhaps not in YOUR pert of the world, but in lots of OTHER places, we
either pay per byte for data, or have limited data - and these thieves are
taking our resources WITHOUT our permission.
Sure, some of us have put firewalls etc in front of our networks to
protect them, but why should we HAVE to? And how about all those devices
on other peoples networks (particularly cellular networks) where it's not
possible or practical to do so?
No, I cannot agree that these constant scans are either harmless, OR
beneficial.
RossW
25 Jan
25 Jan
9:33 a.m.
The main problem I have with those services is that there are so many of them.
It may well be that there is some purpose in having research data available for some
purposes, but at this time the amount of traffic for all that scanning from all those
different companies and individuals that do it causes more traffic then the actual useful
traffic by the users.
When we would route that all into our radio network, it would overwhelm the network.
If it would be only a single service that would be scanning at a responsible rate, I would
have less of a problem with it.
Rob
On 1/24/23 23:26, Falcon Darkstar Momot via 44net wrote:
As someone who uses censys scans a lot when doing research, I'd be very sad to see
more networks blocking censys (or wasting effort blocking port scans in general). I'm
in network security and I don't bother to block these, even. Unless it's actually
interfering in some way with your operations, it is completely harmless and allows us to
answer questions about what kinds of things people are doing with the Internet.
On 2023-01-24 13:51, Rob PE1CHL via 44net wrote:
> It is relatively easy to autoblock such scanners at a gateway due to the large
address space that we have, and its relatively sparse use.
> Once you notice a lot of incoming traffic on unallocated subnets, you know it is from
a scanner.
>
> Rob
8:45 p.m.
On Tue, Jan 24, 2023 at 1:51 PM Rob PE1CHL via 44net <44net(a)mailman.ampr.org>
wrote:
It is relatively easy to autoblock such scanners at a
gateway due to the
large address space that we have, and its relatively sparse use.
Once you notice a lot of incoming traffic on unallocated subnets, you know
it is from a scanner.
We do this for HamWAN's (BGP-announced) address space. We have a couple
intentionally-dark IP addresses, and if the edge routers detect packets
destined to these addresses, the source gets blocked in the firewall.
Our reasoning is something I haven't seen addressed in this thread yet.
Beyond the edge routers, there are parts of the network that transmit on
amateur radio. As control operators of this network, we have an obligation
to ensure that regulations are followed as closely as possible. These
scanners are traffic not initiated by an amateur radio operator, so we try
to block them from reaching the part of the network that uses radio.
Tom KD7LXL
8:56 p.m.
Not to hijack, but related to blocking scans, I am part of a community project to block
bad actors via BGP. Currently we are advertising several thousand /32s detected doing SSH
attempts. More to come in the future but if anyone is interested check out
www.projectton.com<http://www.projectton.com> you can also do CC blocking via BGP
and BOGONS.
-Colin / VA6CCB
From: Tom Hayward via 44net <44net(a)mailman.ampr.org>
Reply-To: Tom Hayward <esarfl(a)gmail.com>
Date: Wednesday, January 25, 2023 at 1:46 PM
To: "44net(a)mailman.ampr.org" <44net(a)mailman.ampr.org>
Subject: [44net] Re: Request: Blocking censys-scanner.com scans on AMPR subnets
On Tue, Jan 24, 2023 at 1:51 PM Rob PE1CHL via 44net
<44net@mailman.ampr.org<mailto:44net@mailman.ampr.org>> wrote:
It is relatively easy to autoblock such scanners at a gateway due to the large address
space that we have, and its relatively sparse use.
Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a
scanner.
We do this for HamWAN's (BGP-announced) address space. We have a couple
intentionally-dark IP addresses, and if the edge routers detect packets destined to these
addresses, the source gets blocked in the firewall.
Our reasoning is something I haven't seen addressed in this thread yet. Beyond the
edge routers, there are parts of the network that transmit on amateur radio. As control
operators of this network, we have an obligation to ensure that regulations are followed
as closely as possible. These scanners are traffic not initiated by an amateur radio
operator, so we try to block them from reaching the part of the network that uses radio.
Tom KD7LXL
24 Jan
24 Jan
11:47 p.m.
I actually find the censys data useful. We have a /20 from ARIN and I
periodically look at what censys shows to see how the space is being
used or if we have some services that are showing up that shouldn't be.
Tim
On 1/24/23 1:26 PM, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these
censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap
like this as an attack yet people and companies think what they are
doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets
are also getting scanned which I don't think is OK. Maybe we can get
their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David
KI6ZHD
25 Jan
25 Jan
1:08 a.m.
It's interesting to see the variety in responses to my email on both the
AMPR list and unicasted to me. From my perspective, I think it's
totally required for people running servers exposed to the Internet to
scan them and make sure they are only exposing what they expect. That
said, IMHO, those scans should *only* be run by be, at a rate I'm
expecting it, and when I expect it. This level of security detail is
arguably no one else's business. I like some of the "exetreme"
analogies that vk2dgy came up where someone is essentially turning every
doorknob, trying every window, etc. just to see if I missed something.
By companies exposing all this this information publicly, they are
enabling bad actors to attack found misconfigured / possibly vulnerable
systems for malice, profit, etc. This is total crap and only makes the
Internet a more dangerous place.
Why did I personally notice this scanning traffic the other day? I have
my AMPR systems on a physically separate network switch so I can "see
the traffic" and just glancing at tit, I could tell it's
packet-per-second (PPS) rate was VERY high. I didn't measure it but it
was easily in the >100 PPS rate which was highly unusual. Yes, some
people will say "Welcome to the Internet... get used to it". That sucks
but I can't say I shouldn't expect that. What I can say is I DON'T
expect this on my AMPR tunnel. I don't think I should expect these
kinds of scans or any other form of common Internet spam on my AMPR
tunnel. Yes, I do have my IP listed in AMPR DNS which also tells the
UCSD AMPR GW to forward any Internet sourced Internet traffic to my IP.
I realize I can remove my AMPR IP from DNS to "fix" this but I find DNS
to be very useful. I also find having Internet access to my AMPR host
is occasionally useful as well but maybe I should just block the UCSD
AMPR IP address for everything except RIP updates.
--David
KI6ZHD
On 01/24/2023 03:47 PM, Tim Požar via 44net wrote:
I actually find the censys data useful. We have a /20
from ARIN and I
periodically look at what censys shows to see how the space is being
used or if we have some services that are showing up that shouldn't be.
Tim
On 1/24/23 1:26 PM, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these
censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap
like this as an attack yet people and companies think what they are
doing is completely OK. Grrrr.. I imagine a lot of other AMPR
subnets are also getting scanned which I don't think is OK. Maybe we
can get their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David
KI6ZHD
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
1:40 a.m.
The only reason I made my comments because I actually work for an ISP. It's quite
uncommon for us to block traffic out-of-hand.
E.G. - in 44-chat, we have discussed some of an actual malware/possible-APT on a node
testing us from the AMPRNet-side of the connection, yet we have a discussion of valid IPs
doing known research. I agree firewalling is an important practice. (It's a good time
to note the late B. Kantor, SK also suggests not running honeypots, as they respond to
traffic sometimes).
While nodes with DNS entries see no traffic, the requests still inundate the UCSD-Internet
facing side of the AMPRGW 10 Gbps interface - blocking doesn't stop that. Those
running servers should use best-practices.
e.g. I was being hit with someone trying to send spoofed TCP (something...it was a
reflected DDOS)ACKs. This TCP Retry response is on the Kernel level. This is just one
example. I recorded this in the Level 3 OpenWrt forum, I think I can make it level 2 and
share the link.
73,
- LynwoodKB3VWG
5:01 a.m.
Opt Out of Data Collection – Censys
<https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection>
On Tue, Jan 24, 2023 at 8:41 PM lleachii--- via 44net <
44net(a)mailman.ampr.org> wrote:
The only reason I made my comments because I actually
work for an ISP.
It's quite uncommon for us to block traffic out-of-hand.
E.G. - in 44-chat, we have discussed some of an actual
malware/possible-APT on a node testing us from the AMPRNet-side of the
connection, yet we have a discussion of valid IPs doing known research. I
agree firewalling is an important practice. (It's a good time to note the
late B. Kantor, SK also suggests not running honeypots, as they respond to
traffic sometimes).
While nodes with DNS entries see no traffic, the requests still inundate
the UCSD-Internet facing side of the AMPRGW 10 Gbps interface - blocking
doesn't stop that. Those running servers should use best-practices.
e.g. I was being hit with someone trying to send spoofed TCP
(something...it was a reflected DDOS)ACKs. This TCP Retry response is on
the Kernel level. This is just one example. I recorded this in the Level 3
OpenWrt forum, I think I can make it level 2 and share the link.
73,
- Lynwood
KB3VWG
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
8:16 p.m.
Opt Out of Data Collection – Censys
<https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection>
Ha.. how "cute". Their stated "opt-out" is for the enduser to
configure
firewall BLOCK their network prefixes and not the correct solution of
SKIPPING the scanning of my networks in the first place. Grrrr..
--David
KI6ZHD
467
days inactive
468
days old
14 comments
11 participants
participants (11)
-
Colin Bodor -
Dave Gingrich -
David Ranch -
Falcon Darkstar Momot -
Ian Redden -
lleachii@aol.com -
Marius Petrescu -
Rob PE1CHL -
Ross Wheeler -
Tim Požar -
Tom Hayward