A short dissection on who's scanning for CVE-2016-1287, the latest IKEv1 and IKEv2 Buffer Overflow Vulnerability. vulgo: CISCO-UDP-RCE-Vuln
Since Scanning is expected (and startet short after the Advisory became public) we wanted to know (and publish) who's scanning and the results seems to be quite interesting.
The Scans we detected follow a similar pattern like those observed by ISC
UDP Port 500 Scans by 8ack
UDP Port 500 Scans by ISC
The most scans originated from Research-Facilities or scanners like Shodan (Top 5), following by low-rate-scanning from various sources (Germany, Ukraine, China), probably from compromised servers.
There is no "super-heavy internet-wide scanning" so far, just what should be expected; there is no need for scanning yourself when there is shodan with more than 1 Mio Cisco-Devices that are not HomeRouters
Shodan Search result for "cisco"
Scanners and its origin
126.96.36.199 <- University of Pensylvania research-scan.cis.upenn.edu. 188.8.131.52 <- independent "Researcher" e21r.de 184.108.40.206 <- Shodan rim.census.shodan.io 220.127.116.11 <- Shodan census7.shodan.io 18.104.22.168 <- Shodan census3.shodan.io 22.214.171.124 <- Shodan census2.shodan.io 126.96.36.199 <- real scanner 188.8.131.52 <- real scanner 184.108.40.206 <- real scanner 220.127.116.11 <- real scanner
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52