How to use reverse DNS records to identify mass scanners

toolsosint

SecurityTrails Blog · Jul 30 · Troy Mursch & SecurityTrails Team

Search engine crawlers, botnets, and mass scanners are constantly probing the entire IPv4 space of the internet. Determining which incoming traffic is “friendly” is an ongoing task for network administrators and information security professionals.

Research tools offering scanning services, such as Shodan and Censys, are well-known and clearly documented. However, other mass scanners may not be as easy to identify in your firewall and IDS logs. Using SecurityTrails’ new reverse DNS lookup API endpoint, you can research the size and scope of unknown scanners.

The most readily available information when investigating a host is the reverse DNS record (PTR record) associated to its IP address. The value of PTR records is best illustrated in a recent case of ongoing RDP (remote desktop protocol) scans from 139.162.77.6. This example IP address currently has over 700 reports logged on AbuseIPDB.com. Performing a reverse DNS lookup for this IP address yields the hostname “scan-30.security.ipip.net”

dig -x 139.162.77.6 +short
scan-30.security.ipip.net

Simply visiting the third-level domain, security.ipip.net, in a web browser reveals the following notice in Chinese and English:

While this message indicates no malicious intent behind the scans, IPIP.net does not provide a method to opt-out of these scans, nor do they indicate which source IP addresses or ranges (netblocks) that the scans will be originating from.

In well-documented cases of network abuse, it’s easiest to block entire netblocks. However, this isn’t the best option for mass scanners as they can originate from single IP addresses of numerous network providers around the world. Simply checking the forward DNS resolution (A records) of all “scan-**.security.ipip.net” domains is not the best approach either. This is because forward-confirmed reverse DNS is not a formal requirement of the current DNS standard. In other words, there’s no guarantee the hostname returned by a PTR record will resolve back to an IP address.

Using SecurityTrails’ new API endpoint we can query the apex domain in this example, security.ipip.net, to quickly locate all known IP addresses associated to IPIP.net’s scanning operation. This is done by simply posting the following query to the "/v1/ips/list" endpoint:

{
  "query": "ptr\_part = 'security.ipip.net'"
}

The response returned yields 93 IP addresses tied to IPIP.net’s scanning operations.

Additionally, the open ports found on each of the hosts is returned by SecurityTrails’ API. This information is useful to identify the services running on the device. In this example, we find SSH access is enabled, presumably for remote management.

Looking deeper into the 93 hosts found, we find they are assigned to nine unique netblocks spanning two network providers, Linode LLC (AS63949) and KDDI Corporation (AS2516). Using geolocation services for further analysis, we find the IPIP.net scanning nodes are located in nine cities within five countries: Japan, United States, United Kingdom, Germany, and Singapore.

Using AbuseIPDB to check the 93 IP addresses, we find 18,324 reports indicating a high level of scanning activity from IPIP.net’s nodes.

A final revealing discovery of this investigation is found using SecurityTrails’ subdomain search for “ipip.net”

The subdomains found are not indexed by search engines, however they are publicly accessible. Visiting monitor.ipip.net reveals a giant list of nodes that appear to be part of IPIP.net’s scanning operation.

Many listed appear to be hosted by additional providers not found in the PTR record search, leaving the door open for further investigation.

Reverse DNS records can provide insight into the size and scope of unknown mass scanners. SecurityTrails’ new API endpoint allows you to query the apex domain and all PTR records associated to that domain will be returned. SecurityTrails currently has 1.2 billion PTR records indexed and available for searching. While PTR records may not necessarily correlate to the same forward DNS record, they can provide a wealth of information when conducting security investigations.


Start a SecurityTrailsAPI account today and start investigating, or integrate to your own security app!