Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: SSH scans from SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH scans from

We received the following earlier today regarding scans to SSH from this IP address which is a research group in Germany.  As far as we are aware it is legitimate research and the scans have been conducted previously.   So if you see scans from this IP address, this is what it is about. I'll leave whether you wish to block it or take advantage of their blocklist up to you.  



Dear colleagues,

Our team at the Network Architectures and Services Dept. (I8) of TU
München, Germany, has started an IPv4-wide SSH scan. This is the same
kind of scan that we have conducted several times over the past few
months. Once again, the purpose is purely scientific.

The scanning machine is

It is not infected, nor is an attack intended (we do *not attempt to
login*, in fact we send the most harmless username ever). However, this
is a large-scale scan, which we expect to last up to 10 days. The
long-term goal are continuous scans.

We are perfectly aware that many IDS systems will count this as
an attack. We are thus writing in order to inform you of our activity.
If there is anything you can do - adding us to a whitelist, adding a
comment in your DB etc. - we would very much appreciate your help.

Please note that we respond to every complaint and are happy to
blocklist systems with annoyed admins.

Background information can be found here:

29C3 Lightning Talk, from minute 9:


Project homepage:


392 Posts
ISC Handler
Apr 2nd 2013
Thanks for sharing this Mark. Though this team being legitimate- The only concern is that an malicious actor(attacker) might also pose as an research team start such scans- Though the targets have an option to blacklist the source. There should be a "do not scan for research" list where the target have a choice to add themselves to the list so that there are eliminated from such research activities - This is just a thought which in felt - Should be shared.

14 Posts
These guys tried me back in November, I blocked them. Screw 'em.

Speaking of posing as a research team, I still get "GET /w00tw00t.isc.sans.dfind :)" probes from people.
Looking at their site this sentence, regarding thier app, made me cringe. "Note however, that the live notary is not beyond PoC status at the moment - meaning the code works, but very little attention has been paid to security."
Yeah. I see that they've scanned us 'cos they're now blocked - upon any kind of scan being detected an automatic block occurs. I dunno - this seems like an example of idiot -> idiot mapping.

I don't care who the scanner is. Scans are not socially acceptable Internet behavior.

7 Posts
What I fail to understand is the lack of a good Access Control List on the Edge Router and past that, the firewall. If the policy of allow permitted hosts/networks is followed, and deny everything else, the only thing a SSH scan will show in router logs is DENIED, with no information being given to scanners (automated or otherwise).

Auto-Blocking stuff is nice, but IMO, it's much easier not to allow them access from the beginning.

21 Posts
I believe the point to "blocking" is not to keep them from attacking closed ports, like SSH, but to keep them from trying to exploit other things.

In my network, for example, I block someone that I see doing a portscan, or other scanning activity because I think they may then escalate things into other attacks, such as web application exploits. Or at the very least, it may keep them from finding an actual vulnerability in some other service that I allow.

Once the IP of the scanner is added to my blacklist they will not be able to even get to legitimate services that I offer to the general public, like my email and web apps.

2 Posts
In my Kippo logs from September 2012:

[me@1 log]$ grep 188\.95\.234\.6 *
kippo.log.315:2012-09-09 17:46:55+0000 [kippo.core.honeypot.HoneyPotSSHFactory]
New connection: (sanitized:22) [session: 7]
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,] Remote SSH version: SSH-2.0-OpenSSH_6.1 This is a routine measurement by the TU Munich
. See:
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,] outgoing: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,] incoming: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,] NEW KEYS
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,] starting service ssh-userauth
kippo.log.315:2012-09-09 17:46:56+0000 [SSHService ssh-userauth on HoneyPotTransport,7,] root trying auth none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,] connection lost
Hi everyone. Please note that we offer that you can get your IP ranges blacklisted, and we're happy to oblige to such requests.

Please also note that we use a non-existing authentication method, and do thus never send a password. There is no way we could get access to your systems. The only reason we send that authentication method is that we need to complete the handshake to find out which cipher has been chosen.

Concerning whether such scans are legit, I would like copy from a mail I have written to a SANS member:

We are a network measurement group. We do believe that active scans must be an integral part in understanding and improving the infrastructure of the Internet. In the end, everyone benefits from that (BTW, there is even an RFC on scanning for measurement purposes). As an example of how improvement is possible, I would like to point out our paper (but also the work of the EFF and others) that documents how poorly SSL/X.509 is deployed:

We hope to document SSH in a similar way. And frankly, from what we can see in our scans, there are a few oddities that need documentation.

We believe that we can contribute to overall security with our scans. If you feel inconvenienced by them, please accept our apologies.
@nekton: We have since changed our scanner - in fact, it was different for every scan.
@hcbhatt: I like your idea of a public blacklist "do not scan for research". I'll try and distribute it in the measurement community. Thanks!
@DHC: I feel you should not cringe, but rather be delighted at the transparency. First of all, that comment you quote refers to the *live querying of an SSH server*. We do not do this at the moment, as it would allow an attack to get a free "idle" sort of scan via us. But we do think of switching that to live once we have implemented a few precautions.

The current OpenSSH functionality is to query a server that stores data from our scan. We have a patch for OpenSSH to query our notary. However, we feel it is not ready yet for inclusion to the main branch and we will not submit it to that branch before we feel it is ready.

All that said, the easiest way to query our noraty is actually via DNS, like this:
export myip="..."
dig -t TXT $

The DNS server runs PowerDNS and is rate-limited.
"I'll leave whether you wish to block it or take advantage of their blacklist, up to you. "

This sure seems like an unethical approach to me.

"Require the person at the receiving end to take the TIME and EXPENSE to opt-out, or respond to ALREADY being annoyed by a scan, to then opt-out."

The options are framed incorrectly. You should not be attempting such an intrusion on someone else's network, without the proper permissions.

My opt-out mechanism is called a null route for the IP prefix of the source IP address space at my edge routers, a call to the source's upstream ISP to complain about this, and possibly legal remedies....

146 Posts
As far as UK legislation is concerned this is in fact illegal activity. See the Computer Misuse Act 1990.

They better not hit my external ssh servers !

13 Posts
I find the level of aggression irritating. After all, this is just a scan, and it is meant to help.

That said, any legislation that I am acquainted with, and this includes the UK, always says that there must be an *intent* to gain access. Which there is not, and the fact that we use a bogus authentication method proves this.
5 Posts
Such a public blacklist would signal to everyone where they should scan, don't you think?

Sort of like the usa's "do not call" list, you know it's full of real, working phone numbers.

1 Posts

Sign Up for Free or Log In to start participating in the conversation!