• Labor of Love is here! Visit our Labor of Love thread for a special message from the team, a look at brand new Labor of Love merch, and the changelog (minus a few surprises 😉)

I just got port-scanned by Shodan

ManaUser

Brain of Cthulhu
upload_2016-7-15_21-15-42.png

upload_2016-7-15_21-15-50.png

I'm not sure if I should feel irritated or honored.
 

critcodedtuna

Terrarian
I get connections like that all the time whenever I leave my server up. Think of it as white noise. If your firewall/router allows it, just add a block rule for connections from 71.6.128.0/17 (CIDR range) and they won't be able to bother you anymore.

what is being port-scanned? and who is shodan?

It's more of a what than a who. It's a search engine that indexes internet devices that are publicly available. See https://www.shodan.io/ for their website and what they do. They present themselves as a legitimate service, but the whole concept seems a bit scummy to me and I have no qualms about blackholing their traffic.
 
Last edited:

ManaUser

Brain of Cthulhu
Yes, good explanation. Except I'll also mention that Shodan is named after SHODAN, an evil AI in the System Shock games. Which, for me at least, adds an extra bit of humor to the situation.
 

John Matherly

Terrarian
Founder of Shodan here:

1. We crawl ~260 different ports/ services on the Internet and sometimes those overlap with Terraria game servers. However, our crawlers don't know how to properly speak with a Terraria server. In this case, port 5007 is also used by the MELSEC-Q protocol developed by Mitsubishi; i.e. it's crawling for publicly-accessible industrial control systems. See also:

https://www.shodan.io/explore/category/industrial-control-systems

2. Shodan is used by law enforcement, universities, security companies, and businesses both large and small. People have been privately doing similar things like Shodan for decades, it just wasn't well-known outside of the security community. And we take numerous steps to limit abuse: if you don't create an account you can't use filters and you can only see 10 results. If you login you can only see 50 results. To see more than 50 and have access to some more advanced filters/ data you have to provide payment information. And we have a few more things in-place to prevent anonymous access. I believe it is vital to understand the Internet empirically so we can make better decisions based on data rather than opinions.

3. I didn't think Shodan would ever get as popular as it did so when I chose the name I did because:

a) I love System Shock 2
b) It is easy to type
c) Other gamers would "get" the reference

Keep in mind that the initial purpose of Shodan wasn't for security, it was to have a tool where big companies could find out who's using their products, where their customers are located, whether patches are being applied etc. And of course they could also get that information about their competitors. At the moment, a lot of that information is gathered by phone surveys - I thought that collecting the information directly from the Internet would be a more accurate/ reproducible dataset.

Anyways, as mentioned above you can always just add the IP to your blacklist and we've setup reverse DNS entries so you know when the IP connecting belongs to Shodan!
 

ManaUser

Brain of Cthulhu
Whoa.

Don't get me wrong, I'm not saying you're evil or anything. The name is cool, much better than something like Global IoT Audit LLC, but it does have slightly creepy concoctions... which are not particularly helped by you popping up like that I might add. :)
 

John Matherly

Terrarian
I have a Google alert setup which notifies me :) And we've gotten some false/ misleading news coverage in the past from tabloids so I try to clarify what we do whenever possible!
 
Top Bottom