Censys Port Scanning, Denial of Service

fallenoracle

Occasional Visitor
Hey everyone,

Using RT-AC5300 with 386.7_2 and have been noticing recently I'll get random Internet drops lasting about 10-30 seconds. The light turns red, modem from ISP looks good. I've been looking at the system logs and noticed a considerable amount of traffic incoming (but dropped) from IP addresses all belonging to Censys. I see they do port scanning, but it appears to be dropping my connection when they do. I've noticed this three times over roughly a month in the router logs when I've noticed the drop and checked.

I have no ports open but I do use open VPN, way random and high port number though. As soon as traffic stops incoming at the rate they're sending it, my Internet comes back. It is effectively creating a DoS on my system.

Anyone else ever had this issue? Any suggestions?

In the meantime my ISP changed my static IP, but it's only a matter of time before it happens again.

I also can't believe they get away with scanning like they do.
 

ColinTaylor

Part of the Furniture
Censys have been doing this for years, so it's nothing new. I haven't noticed their scanning being particularly worse than it's been before, but YMMV. That said, I do drop all their traffic in a firewall-start script as they publish their IP addresses.

This sounds more like coincidence rather than something specifically caused by Censys. Especially if you're also dropping their traffic. If you're logging dropped traffic then of course you'll see it in the log. But unless you're getting hit hundreds of times a second I can't see this would be a problem. I normally recommend that people don't log dropped packets, because it usually serves no purpose other than to fill up the syslog preventing you from seeing more important information.

If it's only happened three times in a month I'm inclined to think it's more likely to be an ISP issue.
 
Last edited:

fallenoracle

Occasional Visitor
I spoke with my ISP as well and that's all they offered was to change my IP. The logs were filled with entries from Censys, all time stamped exactly the same down to the second, and there were as many as can fit in the log.

Appreciate your input!
 

ColinTaylor

Part of the Furniture
The logs were filled with entries from Censys, all time stamped exactly the same down to the second, and there were as many as can fit in the log.
That's interesting as it's not normal behaviour from Censys. Looking at the stats in my own log I've dropped only 300 packets from them in the last 12 hours.

Do you still have the log that you can post here for us to look at?
 

fallenoracle

Occasional Visitor
Unfortunately I do not. If it happens again I will certainly make sure I capture them though. I was looking at the logs on my phone at the time and it refreshed on me. I did email Censys but nothing back yet.

My lookup history does have the one IP that was most prevalent, 167.248.133.46.

There were others but that one appeared most frequently.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top