Port Scanning, Spoofing & Blacklists
First Update: April 29 2019 00:00 AM
Hi, I’m @notdan. This may come as a shock to you, but don’t let the “not” completely fool you, because recently I was outed as actually being a guy named Dan. This is a brief story of research, spoofy packets, blacklists and repercussions. If I don’t cover a specific topic or area, it’s because I cannot do so. Those of you that know me well, know I tend to overshare when I can. I took a long hard look at myself and my actions this weekend, and I do not believe I’ve done anything damaging other than bruising a few inflated egos.
I really like doing security research, especially really “fringe” things that not many others explore. I was originally introduced to computers and hacking through exploring the telephone systems. Not exactly your average teen’s hobby.
Through my late-night conference calls, I met other hackers and began shifting my focus to how systems work and exploring mostly UNIX and other machines. I also was fascinated by how the basics of the internet worked, including specifically IPv4 and the concept of “spoofing”.
When spoofing an IPv4 packet in the modern day, one needs to have access to a host that does not do source address validation, more commonly known as BCP filtering in the RFC sheets.
Spoofing packets, quite simply, is not illegal. There are many instances where spoofing IPv4 packets can be used to explore how machines act when completely unexpected (or expected) IP ranges send initiation requests TCP-SYN or UDP packets. Spoofing begins to become illegal when people use it to impersonate a victim and then try to overwhelm them with reflected packets in Distributed Denial of Service attacks. This is technically called DRDoS, but everyone basically calls them DDoS attacks these days, so, whatever.
When used for massive Denial of Service attacks, typically UDP, the attacker spoofs the source address (or really, the “victim”) and then sends large amounts of requests to servers providing services like NTP (Network Time Protocol) thus overwhelming the false source with NTP replies.
Scanning the internet is also not illegal. The process of scanning the internet has been around since the internet has existed, and it is not going anywhere. I’ve been a big fan of places like Censys and Shodan for a long time and one day randomly decided to give it a try and do it myself. It was not easy, at all. But in my spare time I persisted and did a few interesting scans here and there, but quite simply Censys, Shodan and a few others are doing it much better. Nevertheless I made my findings public and thought of it as more of a kinda “meh” side project.
Blacklists: SpamHaus & SpoofScans
I had been scanning the internet for quite some time with no issues, and then one day my server was shut down due to a complaint received by SpamHaus. This took me completely by surprise because I never use the server for anything other than masscan. I received the body of the SBL ticket from SpamHaus, in which it listed my scans (and ONLY my scans). I quickly realized I had an actual scenario I could do some real gosh darn tootin’ research to see if this is all it would take to trick SpamHaus’ blacklists. (Sorry for my swearing.)
Anyways, I had a dilemma. My atrociously written Python script that spoofed 0.0.0.0/0 in an un-focused way did not give me the ability to track which packets might trigger a SpamHaus SBL listing. Even if it did, I didn’t technically own the servers I rented, and worried about dragging other parties into something that could get them blacklisted for scanning.
Then, as fate would have it, a buddy who runs a VPS company (twitter.com/gexcolo) mentioned he was also getting harassed by SpamHaus for simple port scan traffic SBLs. We agreed how dangerous it was to blacklist simply based on stateless packets and that theoretically ANY host could be blacklisted. He looked over the masscan source and discovered an undocumented feature that allowed the switch ‘-spoof-address/-spoof-src’. This, combined with the fact that he owned a hosting company and IPv4 space solidified all of the pieces of the puzzle we needed to do a controlled experiment without targeting unwilling participants.
And so we did. We did a masscan of the internet with -spoof-address, targeting an IP of his that had VERIFIABLY NO OUTBOUND TRAFFIC. I ran this masscan from a totally unrelated server that allowed spoofed packets and we waited as the various “abuse” emails began pouring in, but none from SpamHaus. I actually went to bed that night assuming the experiment had failed.
Then, about 12 hours later it happened: SpamHaus sent him a formal letter of complaint and confirmation that he had been added to the SBL because of “vulnerability scanning”. We had successfully proved beyond a doubt that ANY IP address on the internet could be falsely accused and placed on dangerous blacklists that could have annoying, if not more serious implications.
SpamHaus’ reaction was quite simply shocking. Instead of just admitting “woops thanks for the heads up, we’ll fix that” they simply denied our findings and insisted we were just smearing them. In fact to this day they STILL do not admit this, even though as of 04/07/2019 they stopped listing “Vulnerability Scanners” as a reason for blacklisting. This just happens to be the same day we publicly confronted them about their bad practices. Granted, the hilarious dancing crab video wasn’t exactly professional, but it’s because we like humor and last time I checked that wasn’t a crime either.
That’s 3 for 3 non-crimes we’ve done, if you’re keeping count.
Repercussions & Dox
To date, luckily nothing absolutely terrible has happened, other than Brian Krebs replying to a thread with personal information, and threatening to have my workplace contacted for things that I did entirely on my own time. I fully denounce his actions and believe he has set a new low for intimidation tactics just because he doesn’t agree with us. SpamHaus has not denounced his actions either, and I suspect neither parties will apologize or address this.
I fully expect them both to continue stalking us to look for any reason they can retroactively justify their completely inexcusable actions. I love my job and I’ve always maintained a level of separation to avoid conflating my security hobbies and opinions from the important work my employer does.
Escalations and Targeting Banks
As you may know, some individuals have targeted banking institutions in SpoofScans in which they likely ran masscan using a couple banks’ IP blocks to cause confusion. I’m guessing this was a poorly thought out trolling campaign that did not mean to cause lasting damage, but I truly have no idea. I will say right now, though, that this has nothing to do with me, and I’m confident the truth will come out on this matter.
This whole saga has surprisingly helped pull me out of a pretty deep funk, and actually has re-ignited some of my passion to re-engage with a part of my life I’ve been largely avoiding due to some personal issues. I hope to be able to continue providing some interesting, provocative, and thought provoking research in the future. I also hope this kind of thing inspires you to do the same.
Here’s a hilarious video made to try and further explain that SpamHaus was indeed lying in their responses to The Register article: https://www.youtube.com/watch?v=h8WCVwyZyg0
Original Register Article: https://www.theregister.co.uk/2019/04/16/spamhaus_port_scans/
Cheers, everyone. Thank you from the bottom of my heart for all of the support you have given me over the past few days. No matter what happens I love this community.