LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Getting Scans From 18.171.7.246 and 35.177.10.231? It's the UK Government

Keep Calm UK Scanning“This page provides information on the NCSC’s scanning activities. You may have been referred here by information left by one of our scanning probes if a system you own or administer has been scanned.”

So begins the UK’s National Cyber Security Center information page describing their new scanning program.  In a blog post entitled “Scanning the Internet for Fun and Profit,” the NCSC describes the rationale for their program.

As part of an intelligence agency, the NCSC has to answer what they call “Grand Challenges”:

But the analyses we’ve published don’t answer the really hard questions, like ‘How vulnerable is the UK to cyber attack?’ or ‘Does HMG policy X have any impact on our security?’. Internally, we have a small number of ‘Grand Challenges’; research projects trying to find solutions to these really hard cyber security problems.

To answer these questions, they need better tools.  As they put it, just “running regex over Shodan” isn’t enough.  So they’re initiating their own scans:

During the 18 months or so that challenge has been running, we’ve made good progress using existing sources of data (including data from the ACD [Active Cyber Defense] services), but we’ve reached the limit of the utility of the commercial internet-scanning data we procure. Sometimes they don’t have the detail we need, or they’re not timely enough, or they don’t include specific IP ranges we need to look at.

Their scanning program is designed to overcome these deficiencies and help “respond to shocks” (a zero day).

It’s possible to opt out of scanning – see the information page.

What do you think about this kind of white hat scanning?  I have to think that various intrusion detection systems are going to be firing alerts as a consequence which is noise that system owners need to deal with.  Please share your thoughts in the comments below!

 

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published.