Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Port Scanners: The Good and The Bad

Published: 2015-09-04
Last Updated: 2015-09-04 13:38:21 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

Every morning, while drinking coffee, one of my daily task is to keep an eye on my logs. Keeping logs is critical to help you to investigate incidents and, sometimes, to prevent some of them. That's why I'm collecting a huge amount of data. Besides miscellaneous tools and scripts, I'm receiving a daily overview of my firewalls traffic via a DShield report. Every days, I see that IP addresses are scanning my network. Today, I went deeper and tried to get the good and the bad from this report. The firewalls protect classic devices and applications (home network, collocated servers, websites and other public services). 

Port scanning is an activity that has always induced debates. The classic question is: "Do we have to take care about port scans?". I already had discussions with peers about this topic and different point of views are always defended. Some people argue that port scanning is a normal activity and it will never decrease. For them, creating incidents related to port scans is way too much time consuming. Others are feeling offended and track them continuously.

Even if you don't track them, port scans must be logged because they can be part of a reconnaissance phase and be followed by a much deeper attack against your infrastructure. It could be useful to use them later as evidences. So, the next question is: can we reduce the noise and filter good VS. bad port scanners?

They are official port scanners operated by companies, non-profit organizations or security researchers. Some examples on top of my list:

  • SHODAN (identified with PTR records: xxxxxx.shodan.io)
  • ShadowServer project (identified with PTR records: scan-xxx.shadowserver.org)
  • Rapid7's Sonar project (IP range: 71.6.216.32/27)

Do you know other Internet scanners like these? Feel free to share them.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
2 comment(s)
ISC StormCast for Friday, September 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4643

If you have more information or corrections regarding our diary, please share.

Recent Diaries

What's the situation this week for Neutrino and Angler EK?
2 days ago by Brad Duncan (0 comments)

How to hack
3 days ago by Daniel (6 comments)

Encryption of "data at rest" in servers
3 days ago by Daniel (0 comments)

Gift card from Marriott?
3 days ago by Daniel (0 comments)

Automating Metrics using RTIR REST API
6 days ago by Tom (0 comments)

Test File: PDF With Embedded DOC Dropping EICAR
1 week ago by DidierStevens (4 comments)

Detecting file changes on Microsoft systems with FCIV
4 decades ago by Xme (14 comments)

Querying the DShield API from RTIR
4 decades ago by Xme (3 comments)

View All Diaries →

Latest Discussions

Hardening OS X Yosemite
created 3 days ago by Xme (2 replies)

dshield blocklist poisoning
created 5 days ago by ktsaou (0 replies)

Which dshield block list should I be using?
created 1 week ago by Anonymous (0 replies)

Encryption at rest, what am I missing?
created 3 weeks ago by CT (10 replies)

MS-ISAC ADVISORY NUMBER:2015-088 Mac OSX zero day
created 4 weeks ago by GeorgeMarkham (1 reply)

View All Forums →

Latest News

View All News →