yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Agressive scans from 69.175.126.170 – HD Moore is trying to save the Internet

I’ve been  seeing this for some time so you will see it soon too. We speak here mostly about SNMP probes coming from a set of very specific IPs. If you do a search on IP you get to the webpage below (critical.io ) , explaining to the reader that it constitutes a vulnerability/misconfiguration disclosure effort by HD Moore exercised on the wide Internet for our own good . I haven’t had answer from Hd Moore himself (probably because of Defcon:) ) so can’t really deny nor confirm this claim I did heard  I did hear from him,  it is indeed scans done by him.
Anyway, as the scans are much more frequent/agressive than usual attack/scan attempts I see everyday, I decided , while not seeing them as any threat, to filter them out and here are IP addresses if you decide too.
IPs:
69.175.126.168/29  69.175.126.170
184.154.42.192/29  184.154.42.194
173.236.44.96/29   173.236.44.98
69.175.54.104/29   69.175.54.106
173.236.30.120/29 173.236.30.122
96.127.150.216/29 96.127.150.218   
Screenshot of the website hosted on aforementioned IPs:

screenshot of the critical.io webpage



3 Comments

  1. Gareth Tomlinson

    October 2, 2012 at 9:58 am

    I’m really not happy about this, I don’t see why we should allow a “reputable researcher” to scan all the IP addresses in creation, when this would normally be seen as intrusive behaviour by the ISP concerned. Would you allow people to try all the windows and doors of your house to see if they can break in? The fact is he will end up with data valuable to his company and certainly valuable to “other interests” that would have been impossible for anyone else to gather without being blocked. Who will be responsible for safeguarding this data? And I’ve requested my ranges be exempt 4 times now, with only temporary success each time.

  2. Yuri

    October 3, 2012 at 9:50 am

    Hi Gareth,
    – On the practical side those scans increased the alert/logs noise from our end client devices. So after getting more and more concerned/worried “Look , can you tell who is driving crazy my IPS ?” questions from them , I just blocked those ranges completely. And as I work for the ISP/MSS i blocked those scans at our (ISP) side , so no client of ours will be scanned anymore. But as I said random scanning is a fact of life and if not HD Moore then some unknown guy from China, not much to be concerned about. I guess you may contact your ISP and ask for some filtering of these scans at their backbone.
    – I didn’t ask for IPs exemption as then I would need to declare IP spaces of our clients, and for me it doesnt feel right
    – On ‘moral of the story’ side, I agree that it may benefit HD Moore himself in some way, but there will be no actionable gain for the folks being scanned. After all , this whole project can be summed up in one statement ” Sysadmins of the world, scan your networks for open services/ports and secure them accordingly!” . And I really don’t need anyone scanning my nets to know it. But again, seeing no damage in it, i am ok with that, or rather just don’t care.
    Cheers
    Yuri

  3. Светлана,www.svetlsana.ru

    November 17, 2012 at 11:46 pm

    этот ip 69.175.126.170 надоел он ко мне ломится я поставила фаервол и хороший антивирус он блокирует его атаку но всё же меня этот айпи достал

Comments are closed.

© 2016 yurisk.info

Theme by Anders NorenUp ↑