Censys Port Scanning Domestic ISPs

IT Troll · 9 Jul 2021 at 15:40

I noticed some strange traffic in my logs and identified that it was a company called Censys who were port scanning me on a daily basis. Apparently they scan 3,552 ports across the whole public IP space, which includes home users on domestic ISPs. They are attempting to identify and log any services you might be running. This includes web, databases, IoT, remote access, file-sharing, crypto, and gaming.

You can enter your router's WAN IP into this search to see what they have discovered.
https://search.censys.io/

The legality of port scanning is a tricky area, especially when crossing international borders. However, the behaviour of Censys is certainly contrary to good etiquette guidance. Remember that in GDPR terms your IP address is personal data.

To "opt out" of this intrusive behaviour you need to configure your router/firewall to drop traffic from the following subnets:

74.120.14.0/24
162.142.125.0/24
167.248.133.0/24
192.35.168.0/23

Buffalo2102 · 9 Jul 2021 at 17:38

Thanks for posting this. Lots of information on there for my public IP which doesn't worry me particularly but I'd rather they didn't have ready access to see what I'm doing with my home network. I'm struggling to see how to drop traffic with my router though so I may have to do it on the individual hosts - what a pain.

ED209 · 9 Jul 2021 at 18:10

Is this possible to do on the SH3?

IT Troll · 9 Jul 2021 at 18:12

Buffalo2102 said:
I'm struggling to see how to drop traffic with my router

It will depend on the router. On mine it is Incoming IP Filtering. But some may not have an equivalent.

ED209 · 9 Jul 2021 at 18:53

Tried the site on my public IP and I get no results back, guess it means it cannot find anything?

Basic Information
Protocols
no publicly accessible services

Avalon · 10 Jul 2021 at 01:38

IT Troll said:
I noticed some strange traffic in my logs and identified that it was a company called Censys who were port scanning me on a daily basis. Apparently they scan 3,552 ports across the whole public IP space, which includes home users on domestic ISPs. They are attempting to identify and log any services you might be running. This includes web, databases, IoT, remote access, file-sharing, crypto, and gaming.

You can enter your router's WAN IP into this search to see what they have discovered.
https://search.censys.io/

The legality of port scanning is a tricky area, especially when crossing international borders. However, the behaviour of Censys is certainly contrary to good etiquette guidance. Remember that in GDPR terms your IP address is personal data.

To "opt out" of this intrusive behaviour you need to configure your router/firewall to drop traffic from the following subnets:

74.120.14.0/24

162.142.125.0/24

167.248.133.0/24

192.35.168.0/23

This is like when your friend is the last person to find out about something that is widely known, but feels the need to try and tell everyone. Wait till you discover Shodan.

As you managed to navigate to the opt out page to copy/paste the details here, presumably you also noticed that it’s a University of Michigan project? It’s not nefarious or a bad actor, it’s a tool like Shodan (lifetime subscriber here) that has legitimate uses, but like most things it can be abused. It’s certainly not subject to GDPR as it’s US based and isn’t breaching any established etiquette as you imply. If you actually look at what scans you, it’s happening constantly, usually by people who aren’t doing it for legitimate reasons.

Rroff · 10 Jul 2021 at 03:52

Or the good old GRC ShieldsUP! heh.

MrRockliffe · 10 Jul 2021 at 04:03

Avalon said:
It’s certainly not subject to GDPR as it’s US based and isn’t breaching any established etiquette as you imply.

If it’s collecting information from EU residents and transferring it to the US, would that not make them liable?

In the same way that any US companies with a presence in the EU must comply with cookie and privacy regulations

On Holiday · 10 Jul 2021 at 06:42

An IP address alone cannot be used to directly or indirectly identify an individual. Thus a GDPR complaint in relation to storing ONLY IP addresses certainly will not have a standing. This has been well documented in court cases where cases or claims have only been upheld where the data processor had other personally identifiable information.

In the case of port scanning for vulnerabilities, it can be classed fairly as a task performed for public interest and as such is permitted to be processed and stored under GDPR guidelines.

US entities are indeed subject to GDPR when processing EU citizen data depending on how the data is gained.
However, like DMCA has virtually no standing in the UK/EU, US companies can't have fines upheld against them for GDPR breaches.

IT Troll · 10 Jul 2021 at 09:11

Avalon said:
This is like when your friend is the last person to find out about something that is widely known, but feels the need to try and tell everyone. Wait till you discover Shodan.

As you managed to navigate to the opt out page to copy/paste the details here, presumably you also noticed that it’s a University of Michigan project? It’s not nefarious or a bad actor, it’s a tool like Shodan (lifetime subscriber here) that has legitimate uses, but like most things it can be abused. It’s certainly not subject to GDPR as it’s US based and isn’t breaching any established etiquette as you imply. If you actually look at what scans you, it’s happening constantly, usually by people who aren’t doing it for legitimate reasons.

Widely known but never spoken about? I searched and found no mention of Censys here. Whilst they may have begun as an academic research project you will have seen that it is now a commercial company selling their tools and dataset. The legality of port scanning has been challenged in court and there are good etiquette/ethics guidelines which include seeking permission first, limiting the scope of the scan and only performing a simple ping scan.

Censys are routinely scanning several thousand ports across the whole public IP range on a daily basis. They perform a range of extended API calls against non-standard ports in order to detect running services (this is what triggered in my logs). They make any captured data available publicly via an open search. I would argue this makes them more intrusive than other port scanning services.

IT Troll · 10 Jul 2021 at 09:24

On Holiday said:
Thus a GDPR complaint in relation to storing ONLY IP addresses certainly will not have a standing.

They are storing and publishing anything else they can capture/determine; domain names, certificates, webserver headers, partial post code, geographic location. Certainly scope to include other personal data. Pseudonymised at best.

Avalon · 10 Jul 2021 at 10:55

IT Troll said:
They are storing and publishing anything else they can capture/determine; domain names, certificates, webserver headers, partial post code, geographic location. Certainly scope to include other personal data. Pseudonymised at best.

If associating a domain name with a IP is a problem, then the whole internet is in trouble. Again the reverse lookup data is freely available, I use it for looking up connected clients on services I run, it varies from pretty accurate to laughably wrong continent. In terms of GDPR, again unless they have a legal presence in the EU or other affiliated nation that has ratified GDPR, then they are not subject to it. Researchers, search engines, data aggregation providers and bad actors constantly scan the internet looking for known services and open ports, heck how many times have Google indexed something and made it searchable? Or a researcher discover something like data sat on AWS and notify a company, we’ve had several news worthy incidents this year for medical data etc. Every UK ISP is legally required to log and allow access to dns data on every site you visit with little or no oversight to a wide and ever increasing list of government/local government/3rd party contractors, certain UK ISP’s have admitted to going above and beyond that in un-sealed court documents relating to streaming.

As to your other points it’s not talked about because it’s accepted background noise. Can I ask if this is the first time you’ve had access to proper logging on a router? It’s just you seem really bent out of shape over what most people accept as reasonable background noise.

IT Troll · 10 Jul 2021 at 16:31

Avalon said:
As to your other points it’s not talked about because it’s accepted background noise. Can I ask if this is the first time you’ve had access to proper logging on a router? It’s just you seem really bent out of shape over what most people accept as reasonable background noise.

I agree that an occasional and plain old port scan is a part of Internet life. It is the fact that they are also attempting API calls against the ports they find to probe further. On one particular service I run this was generating multiple invalid API attempts in my logs each day. It was this daily annoyance that caused me to seek out who they are. This behaviour only started recently so either they have made their fingerprinting techniques more intrusive (as part of their Search 2.0) or have expanded their target IPs to include more domestic ISPs.

Countries outside of the UK and EU must still comply with GDPR. In fact there is a specific checklist for US companies. Enforcement may be tricky but there is an article on how this will be achieved. I will concede that there probably isn't enough in this case to warrant a complaint. However, it is wrong to say they are not subject to GDPR.

Ultimately, if folks are happy for their home systems to profiled daily by this company and for that data to be published, they can ignore this thread and do nothing.

IT Troll · 18 Sep 2021 at 10:06

My service started logging invalid API attempts again. It would seem Censys are now scanning from a new undisclosed range.

167.94.138.0/24

Rainmaker · 18 Sep 2021 at 16:05

Thanks for the updated subnet. These tattle to VM about perfectly secure DNS servers resulting in never ending streams of letters and emails about the 'possibility' of amplification attacks. Go. Away!

I'd ended up just turning the server into whitelist only, but that's a pain when using, say, a hospital or hotel WiFi hotspot (with VPN obviously) and wanting to use my ad blocking DNS server remotely. Until now I had to log in to the DNS server and whitelist the subnet each and every time. I'll try with these subnets blocked in pf and no whitelist and await the VM letter arriving (or not).

Rainmaker · 18 Sep 2021 at 16:20

I just found this list of all Censys and Shodan IPs and subnets, on a blocklist on Github. It was last updated 21 days ago so should be fairly useful for your firewalls.

66.240.192.138
66.240.205.34
66.240.219.146
66.240.236.119
71.6.135.131
71.6.146.185
71.6.146.186
71.6.158.166
71.6.165.200
71.6.167.142
74.120.14.0/24
80.82.77.139
80.82.77.33
82.221.105.6
82.221.105.7
85.25.103.50
85.25.43.94
89.248.167.131
89.248.172.16
93.120.27.62
93.174.95.106
94.102.49.190
94.102.49.190
94.102.49.193
94.102.49.193
94.102.49.198
98.143.148.107
98.143.148.135
104.131.0.69
104.236.198.48
155.94.222.12
155.94.254.133
155.94.254.143
159.203.176.62
162.142.125.0/24
162.159.244.38
167.248.133.0/24
185.163.109.66
185.163.109.66
185.180.143.0/24
185.181.102.18
188.138.9.50
192.35.168.0/23
198.20.69.74
198.20.69.98
198.20.70.114
198.20.87.98
198.20.99.130
208.180.20.97
209.126.110.38
216.117.2.180

Edited to add an undocumented Censys subnet (185.180.143.0/24) that keeps hitting my DNS server after using the (original) blocklist above.

IT Troll · 19 Sep 2021 at 04:13

Rainmaker said:
I just found this list of all Censys and Shodan IPs and subnets, on a blocklist on Github. It was last updated 21 days ago so should be fairly useful for your firewalls.

That’s a rather awkward collection on non-contiguous addresses. My router can only accommodate 32 blocking rules.

Rainmaker · 19 Sep 2021 at 14:46

IT Troll said:
That’s a rather awkward collection on non-contiguous addresses. My router can only accommodate 32 blocking rules.

Time to upgrade to a full fat x86 (OpenBSD, FreeBSD, Linux) router?

IT Troll · 20 Sep 2021 at 22:40

Rainmaker said:
Time to upgrade to a full fat x86 (OpenBSD, FreeBSD, Linux) router?

I'll ask Censys to pay for it.

Rainmaker · 20 Sep 2021 at 23:40

IT Troll said:
I'll ask Censys to pay for it.

LOL As Avalon said, whether it bothers you or not, they are a legit service - unlike millions of other bad actors continually scanning your IP online. Tis just the way of the Internet. While my last post was somewhat tongue-in-cheek, a proper router would at least give you full control over stuff like this.