Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What's the deal with openportstats.com?

Published: 2020-12-21
Last Updated: 2020-12-22 14:56:59 UTC
by Rick Wanner (Version: 2)
4 comment(s)

Over the last few months a few groups I am involved with have been discussing openportstats.com.  They first came to my attention in May of 2020. At that time a number of ISPs indicated attempted DOS by IPs in Russia (ASN202425).  The volume of traffic was not really big enough to do any harm, but in some cases the volume of network traffic was causing issues for some devices and causing congestion on some low speed links.

In July the traffic reappeared. 

One firewall was showing 330,000 blocked port scan events an hour. With some free time for research, the path led to the website openportstats.com, a website hosted in France, and purporting to be IoT researchers.  In fact in late July the ISC added openportstats to our list of known researchers. 

Starting in September, the scans became almost continuous.

I recently attempted to contact them using the two email addresses listed on their website, and both emails were returned "server not available". 

I am all for supporting security research, but none of the other various scanners and crawlers which contribute to the background noise of the Internet are causing the level of impact openportstats.com is.  Their scans are clumsy and overly aggressive and given my lack of luck attempting to contact them I am having to question the legitimacy of these researchers and their research.  

If you have also experienced impact from their scans, or know anyone associated with openportstats.com, I would love to hear about it via comments on this diary or through our contact page.

 

Update:  A reader pointed out that the IPs are not actually in Russia, but rather in the Netherlands.  Some of the IP ranges are registered to Russian IP addresses, but  AS204655 and AS202425 are both hosted near Amsterdam by  IP Volume Inc which is formerly known as Ecatel.  Ecatel and its progeny have a somewhat notorious history.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
4 comment(s)
Diary Archives