Every morning, while drinking coffee, one of my daily task is to keep an eye on my logs. Keeping logs is critical to help you to investigate incidents and, sometimes, to prevent some of them. That's why I'm collecting a huge amount of data. Besides miscellaneous tools and scripts, I'm receiving a daily overview of my firewalls traffic via a DShield report. Every days, I see that IP addresses are scanning my network. Today, I went deeper and tried to get the good and the bad from this report. The firewalls protect classic devices and applications (home network, collocated servers, websites and other public services). 

Port scanning is an activity that has always induced debates. The classic question is: "Do we have to take care about port scans?". I already had discussions with peers about this topic and different point of views are always defended. Some people argue that port scanning is a normal activity and it will never decrease. For them, creating incidents related to port scans is way too much time consuming. Others are feeling offended and track them continuously.

Even if you don't track them, port scans must be logged because they can be part of a reconnaissance phase and be followed by a much deeper attack against your infrastructure. It could be useful to use them later as evidences. So, the next question is: can we reduce the noise and filter good VS. bad port scanners?

They are official port scanners operated by companies, non-profit organizations or security researchers. Some examples on top of my list:

• SHODAN (identified with PTR records: xxxxxx.shodan.io)
• ShadowServer project (identified with PTR records: scan-xxx.shadowserver.org)
• Rapid7's Sonar project (IP range: 71.6.216.32/27)

Do you know other Internet scanners like these? Feel free to share them.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be