Internet Scanners

Internet Scanner

Every morning, while drinking coffee, one of my daily task is to review all of the logs from the servers that I run. Keeping logs is critical to help you to investigate incidents and, sometimes, to prevent some of them, as well to insure that all of the systems are running smoothly.

As well as looking at the normal internet traffic from visitors, there is also scanner traffic.

There has always been a debate about this traffic that you see in the logs. Some have said “but it’s research” or you’ll hear “but we’re making the internet safer”.

Some would say “But then it must be good traffic. They are keeping the internet safe”.

This is where I disagree and for a number of reasons. For this article though, I want to just concentrate on two reason why I would disagree and why I feel that it has made the internet worse off than it was and what harm it has cause in general.

First I want to get back that traffic thing. Data has to be transferred though a wire and/or a fiber optic cable. If you think about it this way, you are at home with your family surfing the internet looking for cars to buy while the kids are playing the latest internet video game and the wife is looking up recipes, you begin to notice that the internet seems to be going slower than when it was just you browsing through the latest selection on cars. This is because there can only be so much traffic that the wire that brings the internet to your house can handle.

Now granted, the fiber optic cables that go into a data center where your sever(s) are located is much larger and is able to transfer data at a much faster rate, you also have to consider that there are thousands of servers in this data center and not just yours, as well as the traffic that the folks at the data center need to keep it running.

With all this in mind, there are now thousands of internet scanners roaming around scanning everything from a refrigerator to a nuclear power plant.

While these scanners attempt to tell you that they are research projects and that their scanning is benign, there is something else to think about. If one scanner comes to take a look at what ports are open on your server, it’s not so bad, but once you factor in the fact that there are now thousands of them, that adds a lot of traffic that your legitimate visitors now have to make their way around to be able to see your website.

The second point that I would like to add to this is that some of these scanner are publishing the faults that they find for all to see.

This is where a research or keeping the internet safe becomes dangerous. In the past, a hacker had to do their own scanning, research and figure out where or who to attack, then build their plan of attack and initiate it.

With the latest proliferation of scanners, a hacker now only has to go visit a scanners website to find his/her target. The research is already done. This is a complete disservice to the all things internet.

If a researcher – and there are some that I will give credit to for doing this – really wanted to make the internet safer, they would contact that potential victim to inform them of the flaws that exist in the victims network so that the potential victim can patch or repair their systems to keep from a disaster occurring.

The following is a timeline of some of the more prominent scanners that are in use today. It only takes a couple of minutes to see how this traffic is harmful to the internet in general.

Google Dorks
Google dorks work because Google search index crawlers happened to index the admin login screen of the device. Since many devices have default credentials or no authentication at all, it is possible to view security cameras in offices around the world, print random junk to unknown printers, and much more. While pranks and much laughing may follow, Google dorks highlight the importance of security awareness. That is understanding what services are listening on your perimeter and changing default credentials.

2004 saw the beginning of Shadowserver. It was founded by a group of volunteers. Working from the principle that sharing Internet Attack Data can only enhance the overall security of the Internet, they quickly became a primary source for security researchers. Over the years Shadowserver has published reports, shared cyber crime data, and scanned the Internet. With a focus on cyber crime, they distribute reports of C2 services, DDOS botnet services, and other attack based infrastructure.

Shodan the Google of network services
2009 Things started to heat up when John Matherly released the Shodan Search Tool. In 2009 John started indexing Internet service banners across the net and made the data available at ShodanHQ. It is now commonly known as the Google of network services and has made numerous appearances in mainstream media such as CNN and Forbes.

Internet Census 2012
2012 saw the release of the Internet Census, an unknown researcher created a botnet which scanned the entire IPv4 address space, he or she then published the results online. This project was audacious and very much illegal because it utilized exploited routers to perform the port scanning.

Zmap and Masscan
Zmap was released a few months later by a team of computer scientists at the University of Michigan. The Zmap port scanning tool can scan the entire Internet in 45 minutes (IPv4 address space). You need a big fat uplink and a fast network card, but that is amazingly fast. Masscan was another extremely fast port scanner that was released only a few months after Zmap.

Project Sonar
Project Sonar was the next big project in the timeline launched by HD Moore of Metasploit fame. At, the results of Internet scanning from HDMoore’s scanning project, and data sets from the Zmap project have been made available online for researchers to explore.

Censys was created in 2015 at the University of Michigan by the security researchers who developed ZMap. A very fast port scanner capable of Internet-wide scanning. The team has been scanning the Internet and making the results available through the portal. They have recently launched commercial access to the API.

VNC pwnage
In 2013 a security researcher has scanned a specific TCP port across the IPv4 address space and captured a screenshot of VNC (remote control software) services that responded with no password. In 16 minutes he found 30,000 systems with no password, and some of those systems included 2 hydroelectric plants and surveillance cameras at a casino in the Czech Republic.

Launched back in 2013, ZoomEye is another online search engine for Internet connected systems. Similar to Shodan and Censys, this Chinese based service provides the ability to search by IP address or string for connected hosts that match the query. There appears to be a commercial offering also for enterprise access to scan data.
Another Chinese based service started in 2013 is This service allows searches for services, open ports, and strings across Internet Wide Scan data. Similar to other services there is an API and the ability to perform straight string queries.

A new project was launched in 2017 that comes at Internet Wide Scanning from a different direction. GreyNoise attempts to classify incoming Internet scan traffic. Offering this classification of traffic as a service to organisations who might find this useful. The classification can highlight some of the above projects as benign, or not malicious as opposed to botnet traffic searching for more endpoints or other attack focused scanning.