13

I was looking through my ufw log record when I found this line:

169.229.3.91 - - [19/Feb/2016:13:21:52 +0100] "\xCEA\x81\xCF\x02\x03\xFCAm\xB8\xBF]1\xBE~0^\xCD\xA9\x05(\x8D`\xD9\x9D\x9D\x9C\x15m" 400 166 "-" "-"

Is this a hack attempt?

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91

2 Answers2

19

We're all being scanned by researchers at Berkeley.edu

Is this a hack attempt ?

This is a research scan performed by the University of California at Berkeley:

This is a research scanning machine from the University of California at Berkeley. This machine regularly conducts scans of the entire Internet so you may have been scanned as part of an ongoing research project.

The primary contact for this project is Bill Marczak (wrm at icsi dot berkeley dot edu) and the advisor for the project is Vern Paxson.

If you have been or are currently being scanned and would like to opt out, please email wrm at icsi dot berkeley dot edu with the IP ranges you would like to exclude in CIDR format.

If you have been or are currently receiving DNS requests, ICMP echoes, or TCP SYNs and would like to opt out, please email bjones99 at gatech dot edu with the IP ranges you would like to exclude in CIDR format.

Regarding your question, assuming the scanning machine is not compromised, then I don't think it's a hack attempt. It's probably just a check to see if you are hacked.

In many countries, conducting scans which attempt to hack random machines is illegal. An upstanding, well-known university would not be able to get away with breaking the law on such an epic scale.

You can opt-out of the scans if you like, or just block their scanners in your firewall. I've listed the additional scanner addresses at the end.


Legitimate uses for scanning

It's certainly possible that they're attempting to assess whether or not your machine is infected by a particular strain of malware. This is not the same as a hacking attempt. There are legitimate research reasons to know whether or not a machine is infected by some type of endemic malware.

When you read an article in the news which states how many computers worldwide are infected by certain types of malware, where do you think they get the numbers from? Scanners like these are one of the many different ways to obtain that data.


There are other scanners

Below is a list of other addresses they use

169.229.3.90 - researchscan0.eecs.berkeley.edu
169.229.3.91 - researchscan1.eecs.berkeley.edu
169.229.3.92 - researchscan2.eecs.berkeley.edu
169.229.3.93 - researchscan3.eecs.berkeley.edu
169.229.3.94 - researchscan4.eecs.berkeley.edu

Update with Response from Berkeley

I contacted the folks in charge, and this is their response:

We are performing a measurement study of a particular phenomenon on the Internet. To accurately asses the behavior we're performing a daily scan of the IPv4 space by sending a single benign packet to every IP on port 80 consisting of 64 random bytes of data. [...] No, we are not attempting to gain unauthorized access. [...] It's simply randomly generated data that conforms to a certain set of criteria.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • 7
    The Computer Misuse Act 1990 makes the attempt illegal in the UK (it's an unauthorised attempt to access a program or data, which the source will know is unauthorised because it's not had explicit approval and it's attempting to exploit malware). "Research" is not a legitimate defence. – Andrew Leach Feb 19 '16 at 16:47
  • 1
    @AndrewLeach I agree with you, but it really depends on a lot of factors including the laws of the host country. I've updated the post to include a reason why this may be happening. It's true it may be illegal in the UK, but not everywhere else. – Mark Buffalo Feb 19 '16 at 16:50
  • 1
    Great answer, I learn something totally new and interesting every time I visit Information Security. – Muhammet Feb 19 '16 at 18:09
  • 1
    Thank you for such a detailed and quick reply (I apologize for not being able to answer sooner, I had a little problem merging both accounts) – William Briot Feb 20 '16 at 09:43
3

Vern Paxson's paper of 2015 is titled "Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks".

Abstract—We introduce temporal lensing: a technique that concentrates a relatively low-bandwidth flood into a short, high- bandwidth pulse. By leveraging existing DNS infrastructure, we experimentally explore lensing and the properties of the pulses it creates. We also empirically show how attackers can use lensing alone to achieve peak bandwidths more than an order of magnitude greater than their upload bandwidth. While formidable by itself in a pulsing DoS attack, attackers can also combine lensing with amplification to potentially produce pulses with peak bandwidths orders of magnitude larger than their own

Make of that whatever you like, his research is clearly in the offensive part of the spectrum. If anyone's bothered enough, please feel free to contact Berkeley's Compliance, Accountability, Risk and Ethics (CARE) Committee at ethics@berkeley.edu or (via https://compliance.berkeley.edu/contact)

Antony McKnight, Compliance Officer

tmcknight@berkeley.edu

Office of Ethics, Risk and Compliance Services

Office of the Chancellor

Please note that this answer is deliberately made community wiki since it contains ancillary information that cannot be put into a comment. Mark Buffalo was the first to find out the nature of the scan, and IMHO should have his answer upvoted & accepted.

Update: his funders are ahem interesting

https://dx.doi.org/10.1145/2766330.2766335 : NSF (CNS-1111672) | DHS/ARL (W911NF-05-C-0013)

https://dx.doi.org/10.1145/2815675.2815690 : NSF (1223717, 1518918, 1540066, 1518882)

https://dx.doi.org/10.1145/2742647.2742675 : NSF (1213157, 1111672, 1237265)

https://dx.doi.org/10.1145/2785989.2786002 : DHS (N66001-12-C-0128), NSF (CNS-1111672,CNS-1237265,CNS-1213157)

From the looks of it this research is DHS-funded, so don't hold your breath while waiting for Berkeley Compliance & Ethics team to kick in.

Current grant he's on seems to be "II-New: Enabling Security Analysis at Scale"

This project will provide the computing equipment through an infrastructure grant that will enable greater capability for analysis of empirical social and economic phenomena, mediated in cyberspace such as, for example, massive online social networks, malicious web content, and underground cybercrime markets. The popular online sites like Facebook and Twitter connect literally billions of people; however, entirely new threats to such sites have emerged driven by cybercrime. In the absence of effective defenses, online social ecosystems today suffer. The empirical study of these threats and mitigating strategies in today's enormous web infrastructure requires a highly scalable and capable cyber infrastructure. Better understanding these complex cyber ecosystems, made possible through this equipment grant, will lead to new insights for making cyberspace safer.

If you ask me, this abstract smells utter BS. Scanning the entire Internet with crafted packets != making cyberspace safer.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
  • 1
    If anyone else has more data to share, I'd like to compare to see if the packets are actually random, or if there's a specific pattern to them. – Mark Buffalo Feb 20 '16 at 16:51
  • I also agree with your assessment, it seems like they just want funding. :-P We'll have to wait and see, though. I'm willing to be proved wrong. – Mark Buffalo Feb 20 '16 at 16:52