Hello, welcome to the Tuesday, January 7, 2020 edition of the Santernut Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

A participant in our Slack channel did notice a large increase in the number of source IPs scanning the internet.

And well, he actually noticed this based on some other systems that publish these numbers.

So I looked at our data and yes, we had a substantial increase on January 2nd.

We tracked about 270,000 IP addresses scanning the Internet, and that went up to 500,000 on January 3rd, and almost 600,000 on January 4th.

So it took a closer look to see what's happening here and turns out that many of

these sources, pretty much explaining the entire increase here, came from the 103 network. So 103 slash

8 was the source of these scans almost certainly spoofed. They were pretty much focusing

on port 22 and 23, but we didn't really see any connections in our ZH honey pots. So yes,

there may have been a three-way handshake. Can't really tell that based on our data,

but well, if someone is scanning, then why not also trying to log in? If it's something, for example,

like Mirai and such. Also, some of the sources came from net blocks that were not actually

assigned, which again confirms that these scans

were most likely spoofed. Not really much you have to worry about here. Kind of also interesting

that a doubling of the number of sources scanning the internet doesn't really make a difference

or excites people too much these days.

I don't have any great explanation for why they used 103 slash 8.

The only thing I sort of could come up with was that this was the last net block that

Ianna assigned to Appnick, so the Asia Pacific Network Information Center,

they received this net block in February 2011 and have since started to hand out IP addresses

from that net block.

...