You have probably found our scanning node because you see incoming scan traffic reaching your network. You do not need to worry, we are a research team focusing on improving the Internet security. Currently, we are monitoring the landscape of amplification attacks.
| Scan Type | Description | Frequency |
|---|---|---|
| DNS Scan (complete) | Complete IPv4 address space scan which finds recursive DNS resolvers | Rare |
| DNS Scan (limited) | Targeted scan towards recursive DNS resolvers only | Occasional |
You do not want to be scanned? Read on.
Our scans have fairly simple signatures:
- We use the default zmap IP.ID:
54321 - We initiate scans with the maximum IP.TTL:
255 - Scans originate only from a single IP source address:
141.22.28.227
We recommend adding firewall rules for signature 1 and 2. This way you will drop traffic from any unwanted zmap scan.
Of course, we can also exclude your network from our scans. This way nothing will arrive at your edge. We just need your prefix.
This is a mutual project between HAW Hamburg and Freie Universität Berlin. DNS research is conducted by Marcin Nawrocki. An email is enough, we will sort it out.