Anyone have an idea how to get HE/ShadowServer,org servers to stop attempting to penetrate the comcast drop at my house? Their website claims altruism.. but my logs dont support that claim. Scott
On Jun 28, 2021, at 5:19 AM, Scott Aldrich <scott.aldrich.us@gmail.com> wrote:
Anyone have an idea how to get HE/ShadowServer,org servers to stop attempting to penetrate the comcast drop at my house? Their website claims altruism.. but my logs dont support that claim.
I have no connection with Shadowserver, and no idea what you’re actually seeing or whether it represents a misconfiguration or bad idea on Shadowserver’s part or not. But as someone who frequently receives brief outraged emails from people who have discovered my insidious plot to infiltrate their recursive nameservers with packets from port 53, I find that sometimes if people use more words to explain what they’re seeing, they find that it isn’t what they at first thought it was. So, using more words, what specifically are you observing, that leads you to believe that Shadowserver is attempting to penetrate your home network? -Bill
On 28/06/2021 06:19, Scott Aldrich wrote:
Anyone have an idea how to get HE/ShadowServer,org servers to stop attempting to penetrate the comcast drop at my house?
Their website claims altruism.. but my logs dont support that claim.
Scott
Scott, Did you look at: https://www.shadowserver.org/what-we-do/network-reporting/dns-open-resolvers... https://scan.shadowserver.org/dns/ If you still think they are penetrating you see their section of blocklisting: To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is blocklisted will be publicly available here: https://scan.shadowserver.org/dns/exclude.html Regards, Hank
Shadowserver is constantly doing all kinds of port scanning and penetration attempts globally, have been for many years. On a residential connection as you describe, have something in place that drops anything from them, and move on with your day. On Mon, Jun 28, 2021 at 8:59 AM Scott Aldrich <scott.aldrich.us@gmail.com> wrote:
Anyone have an idea how to get HE/ShadowServer,org servers to stop attempting to penetrate the comcast drop at my house?
Their website claims altruism.. but my logs dont support that claim.
Scott
On Mon, Jun 28, 2021 at 9:22 AM Tom Beecher <beecher@beecher.cc> wrote:
Shadowserver is constantly doing all kinds of port scanning and penetration attempts globally, have been for many years.
They conduct probes and queries that are basically routine communications against IP Address Port pairs that have been routed on the public internet. There is nothing I have seen / No evidence of shadowserver specifcally ever conducting a penetration attempt or other actual abuse, such as attempting to gain access to computers or data beyond reports on publicly-accessible services would be, but please do show more details if that could be the case now.. There are many parties who do scans and send basic queries for reasons that have nothing to do with penetrating or attempting to penetrate anything -- those are just queries. For example DNS query to port 53, in order to detect hosts that have a level of service open to the public like Open Resolvers, which service does not meet current standard, or is a subset of hosts presenting a high risk to other networks, so that info. can be communicated to ISPs and upstream providers to mitigate.
On a residential connection as you describe, have something in place that drops anything from them, and move on with your day.
-- -Jim
On Mon, Jun 28, 2021 at 07:42:11PM +0300, Nathaniel Ferguson wrote:
I thought I'd add because it seems relevant and this is a pet peeve of my own, but with some notable exceptions-- anymore you can more or less think of a port scan as generally being a network diagnostic of some sort. Most of the stuff that says its a precursor to an attack is outdated...
I'd say my public facing servers are under constant attack of some level of utility. Ie. my honeypot email servers collect 100k+ connections a day each, that don't have any MX pointing to them, their only sin is being up and listening to port 25. They can't process a single email in or out. My web servers have a constant barage of accesses that aren't hitting valid URIs. Sometimes they hit on some pattern that starts forming a small DoS on them and I have to go block or auto-block them. The white-hat scanners like Shodan or Shadowserver are a small drop in the bucket compared to the malicious scans that constantly are going on. Perhaps it is easier to find Shodan or Shadowserver as they are fairly consistant and easily identifiable, vs. the constant E2C or other fly-by-night cloud services being abused.
On Mon, Jun 28, 2021 at 2:02 PM Doug McIntyre <merlyn@geeks.org> wrote:
I'd say my public facing servers are under constant attack of some level of utility.
Ie. my honeypot email servers collect 100k+ connections a day each, that don't have any MX pointing to them, their only sin is being up and listening to port 25. They can't process a single email in or out.
...the way I know to check if my DNS, SSH, or SMTP daemons have died and need to be restarted is if the steady stream of syslog messages from probes suddenly goes quiet. I thought it was rather nice of the Internet to provide 24/7 distributed service availability monitoring for me. No more having to pay Keynote to poke my ports every 15 minutes! ;) Matt
On Mon, Jun 28, 2021 at 12:04 PM Jean St-Laurent <jean@ddostest.me> wrote:
What is the difference between shodan.io and shadowserver.org ?
In what regard? Both of those conduct frequent scans of the IPv4 internet. Neither of them attacks nor penetrates. The former may be a more tailored scan. Shodan's a for-profit site that provides access to general data from their scans about any hosts/networks on the internet to anybody who wants to search their data and pays for a subscription. Shadowserver's a non-profit.. cost $0 for the ISP to subscribe to their reports, that generates reports on certain issues specifically against botnets, malware, DDoS risks; they distribute to the IP block owners on need-to-know.
Jean -- -Jim
On Mon, 2021-06-28 at 13:04 -0400, Jean St-Laurent via NANOG wrote:
What is the difference between shodan.io and shadowserver.org ?
At least in theory, for the former anyone that pays for the service (or employs free credit) has access to the scan data, whereas for the later, only the responsible organization for the network prefixes get the scan results. Thanks, -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
On Sun, 2021-06-27 at 23:19 -0400, Scott Aldrich wrote:
Anyone have an idea how to get HE/ShadowServer,org servers to stop attempting to penetrate the comcast drop at my house?
Their website claims altruism.. but my logs dont support that claim.
In theory (at least), your ISP asked for it. Thanks, -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
On 6/28/21 07:27, Fernando Gont via NANOG wrote:
In theory (at least), your ISP asked for it.
It appears to be opt-out. I don't think his ISP asked for it at all. His ISP just hasn't asked them to stop. -- Jay Hennigan - jay@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
participants (11)
-
Bill Woodcock
-
Doug McIntyre
-
Fernando Gont
-
Hank Nussbacher
-
Jay Hennigan
-
Jean St-Laurent
-
Jim
-
Matthew Petach
-
Nathaniel Ferguson
-
Scott Aldrich
-
Tom Beecher