GreyNoise: Knowing the difference between benign and malicious internet scans

Used with Shodan, this "search engine that looks at people scanning the internet" can help you pick bad actors out of the noise.

scanning the internet malicious magnifying glass
Getty Images

When Shodan launched, people freaked out. “How dare you scan my device connected to the public internet,” freaker-outers griped. Yet Shodan is a benign scanner and useful for many defensive tasks. (Maybe don't connect those devices to the internet? Just sayin’.)

Shodan is by no means the only scanner sweeping the entire IPv4 address space, all 4.2 (and a bit) billion of 'em. So do Censys, Sonar and ShadowServer. Like Shodan, they scan noisily from fixed IP subnets and announce their intentions.

Benign scanners make up less than a fraction of 1 percent of all internet scanners, however, according to Andrew Morris at GreyNoise. Of the rest, 10 to 20 percent are known malicious — Mirai botnet, anyone? — and in search of vulnerable devices to compromise. The rest are, well, "grey noise."

Are the scanners in your logs in search of an opportunistic target? Or are they scanning your organization specifically as recon for an attack? To answer this question, Morris launched GreyNoise.

Making sense of scanners in your logs

"GreyNoise is the exact opposite of Shodan," Morris says. "Where Shodan is a search engine of all open ports and services on the internet, GreyNoise is a search engine that looks at people scanning the internet."

The goal, he explains, is to help enterprises tell the difference between targeted and omnidirectional scanning to better defend themselves. Opportunistic attacks are much easier to defend against than persistent attackers who want to hack your organization in particular.

In a talk at SchmooCon back in January, Morris laid out his methodology and some of his findings so far. "If you could figure out which scanners pose no threat, you could then remove those false positives from your SIEM and focus on scanners that are specifically targeting you," he told the audience.

John Matherly, the founder of Shodan, tells CSO that GreyNoise complements his own service. "[GreyNoise] catalogs internet activity based on sensors they've deployed around the world and makes the resulting information available via an API," he tells CSO. "They're listening for network activity on the internet using honeypots. It looks well developed and there are some interesting possibilities when combining both datasets, actually!"

How GreyNoise works

Morris runs honeypots in all the regions of all the major cloud providers — several in all 15 AWS zones, 11 DigitalOcean regions, 36 Google regions, 15 Vultr regions, and nine Linode regions. The honeypots harvest around 60,000 IP addresses every day. Of those connection attempts, he logs 700,000 to around 1 million logins per day, 1 million to 10 million telnet logins per day, and 10,000 to 100,000 http requests per day.

The static IPs of the good scanners are easy to spot in the logs, he says — Shodan's 27 IPs, Censys's 334, Sonar's 56, and ShadowServer's 228. Compare that, though, to 249,000 Mirai botnet IP addresses, 92,000 SSH worms, and 590,000 compromised home routers, and you see the problem.

"The good guys stay in the same place and generally advertise who they are. The Shodans are good citizens, and if you don't like it you can block them. But," he adds, "That's one-tenth of 1 percent of internet scanners, if you were to look at all the IP addresses scanning the internet."

Scanning IoT devices

A lot of those scanners are popped IoT devices looking for opportunistic targets. "There's a tremendous amount of traffic coming from IoT devices," he says. Compromised, insecure-by-design web cameras and coffeepots and sex toys and fridges are scanning the internet and attacking on the command of their botherder.

GreyNoise has published findings on what IoT devices are attacking, including attacks on thermostats, Oracle Web Logic servers, Drupal installs, MikroTik routers, and Linksys devices. Some are botnets; others are fully automated worms.

"Sometimes when GreyNoise observes an IP address scanning for a given TCP port, I'll turn around and check to see if that port is open on the source machine," Morris said in his SchmooCon talk. "If the answer is yes, this can be a great indicator of a worm. Why else would a computer search for behavior it also exhibits?"

Morris says he's also been able to identify thousands of infected hosts by correlating GreyNoise data with Shodan data. If you know the IP address of a scanner, and you cross-reference that address in Shodan for open ports, you can identify likely compromised devices or worms.

GreyNoise data is freely available via a Web API, with a commercial license for enterprises needing data in bulk.

"Every threat intel service has wanted to tell you everything to be afraid of," Morris says. "We're the first company to tell you what maybe you shouldn't be afraid of. We want to chip away at all the things that are probably less relevant to your specific organization."

Copyright © 2018 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!