Aug 2, 2012

Critical Research Conducting Internet Wide Port Scans

Snort Intrusion Detection System Logo
Snort Intrusion Detection System Logo (Photo credit: Wikipedia)
The other day I was minding my own business when I stared getting a few alerts from my intrusion detection system (IDS) about a possible port scan. The ports the attacker was scanning was 3306, 21, 110, 22, 8080. A reverse lookup on the IP address pointed to the domain Critical.io


I decided to check out their page and I found a letter laying out Critical Research's plans. Here is an excerpt:


This system is coordinating an internet-wide survey of open TCP ports, service banners, SNMP system descriptions, MDNS responders, UPNP endpoints, and NetBIOS name queries. The results of this survey will be used to uncover systematic vulnerabilities in the equipment provided by ISPs to their customers. My goal is to collect this information, determine which ISPs are exposing their customers to internet-based attacks, and contact those ISPs with my findings. If you would like to have your network excluded from this scan, please send an email to admin@critical.io. Please include a list of netblocks or at the least the domain name or ASN that you would like excluded. If you are concerned about what an attacker can discover about your network using these types of probes, there are great free tools such as Metasploit and Nmap that can be used to gather this information on your own.

Here is a list of IP addresses used by Critical.io for the scans if you want to actively block them on your Firewall:

  • 184.154.42.194 (critical.io)
  • 69.175.126.170 (urchin.critical.io)
  • 173.236.44.98 (crawler.critical.io)
  • 69.175.54.106 (ping01.critical.io)
  • 173.236.30.122 (ping02.critical.io)
  • 96.127.150.218 (ping03.critical.io) 

I usually don't mind ethical hackers conducting research, but I prefer they do it in a lab environment, and don't affect my production web services. What do you think about this? Are you going to block these guys, or shoot them an email to request that they add you to their exception list? Am I wrong for not wanting them to scan my network? Let me know what you think in the comments.



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam