Scanning the Internet for Vulnerabilities

• Previous message (by thread): Scanning the Internet for Vulnerabilities
• Next message (by thread): Scanning the Internet for Vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 19 Jun 2022 08:06:59 -0400
Dovid Bender <dovid at telecurve.com> wrote:

> I don't know who is doing it. I just know that IL Cert contacted our
> parent company which has an ISP in Israel when things were "hot".

Some national government infrastructure protection organizations will
relay notifications to local provider networks (e.g., abuse@) based
on reputable third party surveyors (aka network scanner operators).  I
think it is safe to assume this is generally done as a public service,
but perhaps with some mandates to measure and minimize risk within a
country's borders.

Most providers will usually convey the notification is fairly strong
language, usually demanding some sort of response and if applicable,
remediation.  The reports can contain false positives (e.g., when
scanners cannot differentiate between vulnerable systems and honeypots).

It isn't always clear based on the relayed reports who is running the
scans, but in my experience Shadowserver is the most widely used and
cited.  There are of course lots of others running scans.  Commercially,
Greynoise tracks many of them.  A research-based tracker is also
available here:

  <https://gitlab.com/mcollins_at_isi/acknowledged_scanners>

John

• Previous message (by thread): Scanning the Internet for Vulnerabilities
• Next message (by thread): Scanning the Internet for Vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]