This page contains information about the Internet scanner hosted in this server. The scanner belongs to the Section for Cybersecurity Engineering at DTU Compute for conducting Internet measurements as part of academic research. Below you can find further information regarding our project Digital Ghost Ships, the scanner and contact details.
This project aimst to identify devices connected to the Internet that have been neglected in terms of cybersecurity and present signs of abandonment, such as being unpatched or misconfigured. Neglecting devices connected to the Internet invites attackers to take control of their victims beyond the digital world. To encapsulate the features of these devices, we coin the term Digital Ghost Ships (DGSs). We strive to develop innovative methods that can identify DGSs over the Internet, contributing to mitigate their proliferation.
This server is scans the entire IPv4 as part of our project to detect vulnerable systems connected to the Internet. The server is equiped with two scanning tools, ZMap and Zgrab2. You can read more about the use of these tools for research purposes in their website and how other Internet scanners use them as well. Our server uses these tools sequentially following our configuration, which includes an allowed list of IPs to scan, as well as a blacklist which forbids the scanner from sending any unsolicited traffic to these addresses.
First, we use ZMap to perform a sweep scan, which test whether an IP is listening for incomming connections on a certain port. The list of ports and protocols that we scan for can be found below. Then, we pipe the response (if any) to ZGrab2, which attempts to stablish a full connection with the IP, and immediatly closes it. This technique is known as banner-grabbing, and is useful to form an impression of the server, what we call a fingerprint. It contains details such as the expected content, certificate information, the encryption algorithms used to stablish a secure connection, etc.
It is important to mention that our scanner does not attempt to authenticate or gain unauthorized access to the target IP. Moreover, the traffic towards the test IP is minimal. Each IP receives at most 10 packets per protocol being tested (2 during the sweep and 8 during the banner grabbing). In addition, our tools use a scheduling algorithm to maximizing the distance between the tested IPs to reduce the traffic load between our scanner and certain IP range.
Furthermore, our probes have been developed following the official protocol specifications. This means that our scanner does not send any bogus request. Our scanner does not test for vulnerabilities nor attempt to provoke an undesired behavior. However, to improve our chances to identify DGSs reliably, we conduct weekly Internet scans, so you can expect to see traffic coming from our scanner at most once per week.
Similarly to other Internet scanners, our HTTP-based scans use a specific user-agent.
Other TCP based probes that allow it include a similar message in the client-random field of the TCP connection (base64 encoded).
This can be used to identify our scanning probes reliably.
Lastly, here is the list of ports and protocols used during our scans:
| Protocol | Service | Port(s) |
|---|---|---|
| tcp | FTP * | 21 |
| tcp | SSH | 22, 2222 |
| tcp | Telnet | 23 |
| tcp | HTTP(S) * | 80, 8080, 443 |
| tcp | RPC | 135 |
| tcp | SMB | 445 |
| tcp | RTSP | 554 |
| tcp | IPP * | 631 |
| tcp | MQTT | 1883 |
| tcp | XMPP | 5222 |
| tcp | Modbus | 502 |
| tcp | OPC UA | 4840 |
| tcp | DNP3 | 20000 |
| udp | CoAP | 5683 |
| udp | BacNet | 57808 |
| tcp, udp | UPnP | 1900/udp, 5000/tcp |
For questions and inqueries, send us an email with the subject [SCANNER] and we will respond as soon as possible.
If you do not want to participate in our research (opt out) or report an abuse from our scanner, please send us an email with the subject [ABUSE] and the IP range that you want to remove from our scans.
In addition, please state if you want these addresses removed from our study altogether.
We review these requests before scanning, and add these IP addresses to our blacklist.
Otherwise, you can configure your firewall to frop traffic from our scanner IP 130.226.254.28.