On Mon, Jun 28, 2021 at 07:42:11PM +0300, Nathaniel Ferguson wrote:
I thought I'd add because it seems relevant and this is a pet peeve of my own, but with some notable exceptions-- anymore you can more or less think of a port scan as generally being a network diagnostic of some sort. Most of the stuff that says its a precursor to an attack is outdated...
I'd say my public facing servers are under constant attack of some level of utility. Ie. my honeypot email servers collect 100k+ connections a day each, that don't have any MX pointing to them, their only sin is being up and listening to port 25. They can't process a single email in or out. My web servers have a constant barage of accesses that aren't hitting valid URIs. Sometimes they hit on some pattern that starts forming a small DoS on them and I have to go block or auto-block them. The white-hat scanners like Shodan or Shadowserver are a small drop in the bucket compared to the malicious scans that constantly are going on. Perhaps it is easier to find Shodan or Shadowserver as they are fairly consistant and easily identifiable, vs. the constant E2C or other fly-by-night cloud services being abused.