I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David KI6ZHD
I actually thought Censys (and others like Shodan) were already blocked? Maybe they changed IP ranges. If so, blocking hosts like this may be a concern for IPs/hosts/ASN reaching us now or in the future. (Although I don't agree, because when I use such sites, I notice data on my hosts are missing. Nonetheless, I understand it takes bandwidth from AMPRGW and others.)
73,
- LynwoodKB3VWG
May I add other scanners to this list:
176.111.174.64/26 - changway.hk Chang Way Technologies Co. Limited 185.180.143.0/25 - internet-census.org NSEC - Sistemas Informaticos, S.A. 193.163.125.128/25 - cyber.casa Constantine Cybersecurity Ltd.
On 24/01/2023 23:26, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David KI6ZHD
44net mailing list --44net@mailman.ampr.org To unsubscribe send an email to44net-leave@mailman.ampr.org
Did anything bad happen? If not, then. No big deal. Many sites, probably tens of thousands scan throughout the Internet continuously. Life in the big city.
— Dave K9DC, K9IP
On Jan 24, 2023, at 16:26, David Ranch via 44net 44net@mailman.ampr.org wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David KI6ZHD
It is relatively easy to autoblock such scanners at a gateway due to the large address space that we have, and its relatively sparse use. Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a scanner.
Rob
On 1/24/23 22:26, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?
As someone who uses censys scans a lot when doing research, I'd be very sad to see more networks blocking censys (or wasting effort blocking port scans in general). I'm in network security and I don't bother to block these, even. Unless it's actually interfering in some way with your operations, it is completely harmless and allows us to answer questions about what kinds of things people are doing with the Internet.
On 2023-01-24 13:51, Rob PE1CHL via 44net wrote:
It is relatively easy to autoblock such scanners at a gateway due to the large address space that we have, and its relatively sparse use. Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a scanner.
Rob
On 1/24/23 22:26, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?
44net mailing list --44net@mailman.ampr.org To unsubscribe send an email to44net-leave@mailman.ampr.org
On Tue, 24 Jan 2023, Falcon Darkstar Momot via 44net wrote:
As someone who uses censys scans a lot when doing research, I'd be very sad to see more networks blocking censys (or wasting effort blocking port scans in general).
They ALL need to lift their game IMO.
Unless it's actually interfering in some way with your operations,
That's not the point.
it is completely harmless
It is not "completely harmless".
and allows us to answer questions about what kinds of things people are doing with the Internet.
And that's not enough justification.
I consider these scans to be "electronic tresspass". I'm sure we all like having access to google maps to find things and navigate. I'm sure many of us like using streetview from time to time. I'm also sure most of us here use these for legitimate, reasonable, intended uses.
How about when a bunch of people turn up at your house with cameras, mapping equipment, LIDAR, drones, thermal cameras and go traipsing through your yard, poking in windows etc seeing "what stuff you've got"? Oh, I'm sure it'd "useful" information - trying to work out what your insurance premiums should be, or how wealthy your suburb is, or how good your homes insulation is etc, but damn, it's more than a little bit rude and obtrusive, utterly regardless of any "benefits" (real or perceived).
Scanners are the same. What gives them the right to probe every port and every protocol for every IP address I've got? NONE, that's what.
And as to "does no harm" - I have lots of VERY low power microcontrollers that have a need to be reached by arbitary devices "out there" on the internet, but which have no capacity to be bombarded by dozens of packets a second, much less the hundreds or thousands per second I've seen from SOME scanners. And yes, it DOES do harm. These poor little things either shut down, or run out of stored power, or stop responding to LEGITIMATE requests because they're overwhelmed with unwanted and unauthorised "hostile" traffic.
Perhaps not in YOUR pert of the world, but in lots of OTHER places, we either pay per byte for data, or have limited data - and these thieves are taking our resources WITHOUT our permission.
Sure, some of us have put firewalls etc in front of our networks to protect them, but why should we HAVE to? And how about all those devices on other peoples networks (particularly cellular networks) where it's not possible or practical to do so?
No, I cannot agree that these constant scans are either harmless, OR beneficial.
RossW
The main problem I have with those services is that there are so many of them. It may well be that there is some purpose in having research data available for some purposes, but at this time the amount of traffic for all that scanning from all those different companies and individuals that do it causes more traffic then the actual useful traffic by the users. When we would route that all into our radio network, it would overwhelm the network. If it would be only a single service that would be scanning at a responsible rate, I would have less of a problem with it.
Rob
On 1/24/23 23:26, Falcon Darkstar Momot via 44net wrote:
As someone who uses censys scans a lot when doing research, I'd be very sad to see more networks blocking censys (or wasting effort blocking port scans in general). I'm in network security and I don't bother to block these, even. Unless it's actually interfering in some way with your operations, it is completely harmless and allows us to answer questions about what kinds of things people are doing with the Internet.
On 2023-01-24 13:51, Rob PE1CHL via 44net wrote:
It is relatively easy to autoblock such scanners at a gateway due to the large address space that we have, and its relatively sparse use. Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a scanner.
Rob
On Tue, Jan 24, 2023 at 1:51 PM Rob PE1CHL via 44net 44net@mailman.ampr.org wrote:
It is relatively easy to autoblock such scanners at a gateway due to the large address space that we have, and its relatively sparse use. Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a scanner.
We do this for HamWAN's (BGP-announced) address space. We have a couple intentionally-dark IP addresses, and if the edge routers detect packets destined to these addresses, the source gets blocked in the firewall.
Our reasoning is something I haven't seen addressed in this thread yet. Beyond the edge routers, there are parts of the network that transmit on amateur radio. As control operators of this network, we have an obligation to ensure that regulations are followed as closely as possible. These scanners are traffic not initiated by an amateur radio operator, so we try to block them from reaching the part of the network that uses radio.
Tom KD7LXL
Not to hijack, but related to blocking scans, I am part of a community project to block bad actors via BGP. Currently we are advertising several thousand /32s detected doing SSH attempts. More to come in the future but if anyone is interested check out www.projectton.comhttp://www.projectton.com you can also do CC blocking via BGP and BOGONS. -Colin / VA6CCB
From: Tom Hayward via 44net 44net@mailman.ampr.org Reply-To: Tom Hayward esarfl@gmail.com Date: Wednesday, January 25, 2023 at 1:46 PM To: "44net@mailman.ampr.org" 44net@mailman.ampr.org Subject: [44net] Re: Request: Blocking censys-scanner.com scans on AMPR subnets
On Tue, Jan 24, 2023 at 1:51 PM Rob PE1CHL via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: It is relatively easy to autoblock such scanners at a gateway due to the large address space that we have, and its relatively sparse use. Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a scanner.
We do this for HamWAN's (BGP-announced) address space. We have a couple intentionally-dark IP addresses, and if the edge routers detect packets destined to these addresses, the source gets blocked in the firewall.
Our reasoning is something I haven't seen addressed in this thread yet. Beyond the edge routers, there are parts of the network that transmit on amateur radio. As control operators of this network, we have an obligation to ensure that regulations are followed as closely as possible. These scanners are traffic not initiated by an amateur radio operator, so we try to block them from reaching the part of the network that uses radio.
Tom KD7LXL
I actually find the censys data useful. We have a /20 from ARIN and I periodically look at what censys shows to see how the space is being used or if we have some services that are showing up that shouldn't be.
Tim
On 1/24/23 1:26 PM, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David KI6ZHD
It's interesting to see the variety in responses to my email on both the AMPR list and unicasted to me. From my perspective, I think it's totally required for people running servers exposed to the Internet to scan them and make sure they are only exposing what they expect. That said, IMHO, those scans should *only* be run by be, at a rate I'm expecting it, and when I expect it. This level of security detail is arguably no one else's business. I like some of the "exetreme" analogies that vk2dgy came up where someone is essentially turning every doorknob, trying every window, etc. just to see if I missed something. By companies exposing all this this information publicly, they are enabling bad actors to attack found misconfigured / possibly vulnerable systems for malice, profit, etc. This is total crap and only makes the Internet a more dangerous place.
Why did I personally notice this scanning traffic the other day? I have my AMPR systems on a physically separate network switch so I can "see the traffic" and just glancing at tit, I could tell it's packet-per-second (PPS) rate was VERY high. I didn't measure it but it was easily in the >100 PPS rate which was highly unusual. Yes, some people will say "Welcome to the Internet... get used to it". That sucks but I can't say I shouldn't expect that. What I can say is I DON'T expect this on my AMPR tunnel. I don't think I should expect these kinds of scans or any other form of common Internet spam on my AMPR tunnel. Yes, I do have my IP listed in AMPR DNS which also tells the UCSD AMPR GW to forward any Internet sourced Internet traffic to my IP.
I realize I can remove my AMPR IP from DNS to "fix" this but I find DNS to be very useful. I also find having Internet access to my AMPR host is occasionally useful as well but maybe I should just block the UCSD AMPR IP address for everything except RIP updates.
--David KI6ZHD
On 01/24/2023 03:47 PM, Tim Požar via 44net wrote:
I actually find the censys data useful. We have a /20 from ARIN and I periodically look at what censys shows to see how the space is being used or if we have some services that are showing up that shouldn't be.
Tim
On 1/24/23 1:26 PM, David Ranch via 44net wrote:
I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK. Grrrr.. I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK. Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?
https://support.censys.io/hc/en-us/articles/360043177092-from-faq
--David KI6ZHD
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
The only reason I made my comments because I actually work for an ISP. It's quite uncommon for us to block traffic out-of-hand. E.G. - in 44-chat, we have discussed some of an actual malware/possible-APT on a node testing us from the AMPRNet-side of the connection, yet we have a discussion of valid IPs doing known research. I agree firewalling is an important practice. (It's a good time to note the late B. Kantor, SK also suggests not running honeypots, as they respond to traffic sometimes).
While nodes with DNS entries see no traffic, the requests still inundate the UCSD-Internet facing side of the AMPRGW 10 Gbps interface - blocking doesn't stop that. Those running servers should use best-practices. e.g. I was being hit with someone trying to send spoofed TCP (something...it was a reflected DDOS)ACKs. This TCP Retry response is on the Kernel level. This is just one example. I recorded this in the Level 3 OpenWrt forum, I think I can make it level 2 and share the link.
73,
- LynwoodKB3VWG
Opt Out of Data Collection – Censys https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection
On Tue, Jan 24, 2023 at 8:41 PM lleachii--- via 44net < 44net@mailman.ampr.org> wrote:
The only reason I made my comments because I actually work for an ISP. It's quite uncommon for us to block traffic out-of-hand.
E.G. - in 44-chat, we have discussed some of an actual malware/possible-APT on a node testing us from the AMPRNet-side of the connection, yet we have a discussion of valid IPs doing known research. I agree firewalling is an important practice. (It's a good time to note the late B. Kantor, SK also suggests not running honeypots, as they respond to traffic sometimes).
While nodes with DNS entries see no traffic, the requests still inundate the UCSD-Internet facing side of the AMPRGW 10 Gbps interface - blocking doesn't stop that. Those running servers should use best-practices.
e.g. I was being hit with someone trying to send spoofed TCP (something...it was a reflected DDOS)ACKs. This TCP Retry response is on the Kernel level. This is just one example. I recorded this in the Level 3 OpenWrt forum, I think I can make it level 2 and share the link.
73,
- Lynwood
KB3VWG _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Opt Out of Data Collection – Censys https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection
Ha.. how "cute". Their stated "opt-out" is for the enduser to configure firewall BLOCK their network prefixes and not the correct solution of SKIPPING the scanning of my networks in the first place. Grrrr..
--David KI6ZHD
-
Colin Bodor -
Dave Gingrich -
David Ranch -
Falcon Darkstar Momot -
Ian Redden -
lleachii@aol.com -
Marius Petrescu -
Rob PE1CHL -
Ross Wheeler -
Tim Požar -
Tom Hayward