Scans for Ciscos IKEv1 and IKEv2 Buffer Overflow Vulnerability (CVE-2016-1287)

Ciscos UDP-RCE

A short dissection on who's scanning for CVE-2016-1287, the latest IKEv1 and IKEv2 Buffer Overflow Vulnerability. vulgo: CISCO-UDP-RCE-Vuln

Since Scanning is expected (and startet short after the Advisory became public) we wanted to know (and publish) who's scanning and the results seems to be quite interesting.

The Scans we detected follow a similar pattern like those observed by ISC

scans by 8ack

UDP Port 500 Scans by 8ack


scans by isc

UDP Port 500 Scans by ISC


The most scans originated from Research-Facilities or scanners like Shodan (Top 5), following by low-rate-scanning from various sources (Germany, Ukraine, China), probably from compromised servers.

There is no "super-heavy internet-wide scanning" so far, just what should be expected; there is no need for scanning yourself when there is shodan with more than 1 Mio Cisco-Devices that are not HomeRouters

shodan cisco

Shodan Search result for "cisco"


Scanners and its origin

158.130.6.191   <- University of Pensylvania
                   research-scan.cis.upenn.edu.
87.190.248.86   <- independent "Researcher" 
                   e21r.de
85.25.43.94     <- Shodan 
                   rim.census.shodan.io
71.6.135.131    <- Shodan
                   census7.shodan.io
198.20.70.114   <- Shodan
                   census3.shodan.io
198.20.69.98    <- Shodan 
                   census2.shodan.io
188.138.17.205  <- real scanner
179.43.147.222  <- real scanner 
46.219.52.152   <- real scanner 
109.169.67.102  <- real scanner

Scanner-IPs

158.130.6.191
87.190.248.86 
85.25.43.94
71.6.135.131
198.20.70.114
198.20.69.98
188.138.17.205
179.43.147.222
46.219.52.152
109.169.67.102