Censys Port Scanning Domestic ISPs

IT Troll · 9 Jul 2021 at 15:40

I noticed some strange traffic in my logs and identified that it was a company called Censys who were port scanning me on a daily basis. Apparently they scan 3,552 ports across the whole public IP space, which includes home users on domestic ISPs. They are attempting to identify and log any services you might be running. This includes web, databases, IoT, remote access, file-sharing, crypto, and gaming.

You can enter your router's WAN IP into this search to see what they have discovered.
https://search.censys.io/

The legality of port scanning is a tricky area, especially when crossing international borders. However, the behaviour of Censys is certainly contrary to good etiquette guidance. Remember that in GDPR terms your IP address is personal data.

To "opt out" of this intrusive behaviour you need to configure your router/firewall to drop traffic from the following subnets:

74.120.14.0/24
162.142.125.0/24
167.248.133.0/24
192.35.168.0/23

IT Troll · 9 Jul 2021 at 18:12

Buffalo2102 said:
I'm struggling to see how to drop traffic with my router

It will depend on the router. On mine it is Incoming IP Filtering. But some may not have an equivalent.

IT Troll · 10 Jul 2021 at 09:11

Avalon said:
This is like when your friend is the last person to find out about something that is widely known, but feels the need to try and tell everyone. Wait till you discover Shodan.

As you managed to navigate to the opt out page to copy/paste the details here, presumably you also noticed that it’s a University of Michigan project? It’s not nefarious or a bad actor, it’s a tool like Shodan (lifetime subscriber here) that has legitimate uses, but like most things it can be abused. It’s certainly not subject to GDPR as it’s US based and isn’t breaching any established etiquette as you imply. If you actually look at what scans you, it’s happening constantly, usually by people who aren’t doing it for legitimate reasons.

Widely known but never spoken about? I searched and found no mention of Censys here. Whilst they may have begun as an academic research project you will have seen that it is now a commercial company selling their tools and dataset. The legality of port scanning has been challenged in court and there are good etiquette/ethics guidelines which include seeking permission first, limiting the scope of the scan and only performing a simple ping scan.

Censys are routinely scanning several thousand ports across the whole public IP range on a daily basis. They perform a range of extended API calls against non-standard ports in order to detect running services (this is what triggered in my logs). They make any captured data available publicly via an open search. I would argue this makes them more intrusive than other port scanning services.

IT Troll · 10 Jul 2021 at 09:24

On Holiday said:
Thus a GDPR complaint in relation to storing ONLY IP addresses certainly will not have a standing.

They are storing and publishing anything else they can capture/determine; domain names, certificates, webserver headers, partial post code, geographic location. Certainly scope to include other personal data. Pseudonymised at best.

IT Troll · 10 Jul 2021 at 16:31

Avalon said:
As to your other points it’s not talked about because it’s accepted background noise. Can I ask if this is the first time you’ve had access to proper logging on a router? It’s just you seem really bent out of shape over what most people accept as reasonable background noise.

I agree that an occasional and plain old port scan is a part of Internet life. It is the fact that they are also attempting API calls against the ports they find to probe further. On one particular service I run this was generating multiple invalid API attempts in my logs each day. It was this daily annoyance that caused me to seek out who they are. This behaviour only started recently so either they have made their fingerprinting techniques more intrusive (as part of their Search 2.0) or have expanded their target IPs to include more domestic ISPs.

Countries outside of the UK and EU must still comply with GDPR. In fact there is a specific checklist for US companies. Enforcement may be tricky but there is an article on how this will be achieved. I will concede that there probably isn't enough in this case to warrant a complaint. However, it is wrong to say they are not subject to GDPR.

Ultimately, if folks are happy for their home systems to profiled daily by this company and for that data to be published, they can ignore this thread and do nothing.

IT Troll · 18 Sep 2021 at 10:06

My service started logging invalid API attempts again. It would seem Censys are now scanning from a new undisclosed range.

167.94.138.0/24

IT Troll · 19 Sep 2021 at 04:13

Rainmaker said:
I just found this list of all Censys and Shodan IPs and subnets, on a blocklist on Github. It was last updated 21 days ago so should be fairly useful for your firewalls.

That’s a rather awkward collection on non-contiguous addresses. My router can only accommodate 32 blocking rules.

IT Troll · 20 Sep 2021 at 22:40

Rainmaker said:
Time to upgrade to a full fat x86 (OpenBSD, FreeBSD, Linux) router?

I'll ask Censys to pay for it.