Security Researchers and Related Traffic
Security researchers frequently send requests that may look malicious, but serve the purpose of discovering security flaws so that Internet users can be better prepared in the event of a legitimate attack. There are many types of research that take place under the heading of "security researcher," and you always have the option to block this traffic as you see fit. This post details the most common goals of security researchers and explains how you can control this traffic if you don't want to take part.
What is a security researcher?
A security researcher is an individual or organization that searches for vulnerabilities in software, websites, servers, applications, and other endpoints across the Internet. Security researchers also investigate how malware is created so it can be effectively taken down, test security controls and cryptography, search for bugs in designated software, and present their findings from these and related activities to provide greater protection to Internet users.
What does that research look like?
On the receiving end, this research can appear to be port scanning, brute force attacks, and malicious activity. On the researcher's side, this is normal activity meant to develop reports that show the potential for threats across the Internet. This can be malware, misconfigured databases that provide a door for a malicious actor to use, invalid SSL certificates, or servers that provide more accessibility than they should.
Although this activity looks suspicious, security researchers do not attempt to exploit their findings. The data gathered is publicly available via the target IP address and port and is meant to provide an accurate view of the Internet's susceptibility to attack.
Security research also helps individuals. Malware that has been identified and tracked or vulnerabilities found in applications like Internet browsers and operating systems are often the result of security research. These findings allow individuals to take the necessary steps to secure their data.
Why is security research important?
So much of society today depends on innovation and technology to function. When there are new electronics regularly being created, this creates two opportunities for individuals with bad intentions to strike. The first is that not every company considers Internet security to be a high priority, and security measures may be compromised to make room for other tasks. Considering that everything from a cell phone to a refrigerator or coffee maker can be connected to the Internet these days, there are many more vectors for new types of attacks. This article has some examples of cyber attacks that had a large-scale impact but began with in-home devices like security cameras and baby monitors.
The second opportunity is more simplistic and relates to the first: the more devices connected to the Internet, the better the chances of coming across one that is not secured properly.
What if I don't want to be scanned?
When you have a Linode, you can set up your own firewall rules to block any unwanted activity. If you can identify an IP address or range from your server's traffic logs, you can block the address/range through the use of utilities like iptables, UFW, or FirewallD.
You also have the reverse option: requesting that your IP address be blocked by the researcher. The process for submitting a blacklist request depends on the organization, but it is typically done by sending an email to a designated inbox. If the security researcher is hosted on Linode and you discovered it by reporting the activity to us directly, we can request that the researcher block your IP from their scans as well. You would just need to make us aware of your request.
"security researchers do not attempt to exploit their findings. The data gathered is publicly available"
Thus giving those with a nefarious agenda a valuable tool so that they may go about exploiting it themselves.
Maybe I'm in the minority but I view a server the same way I would my home or a brick & mortar place of business.
If a person came around and started jiggling the locks, going around back to see if any windows were open or otherwise looking for ways into my home/shop, I would call the police and have them arrested for attempted burglary, trespassing, whatever. Imagine if the police showed up only to let them go each time they were caught snooping around "because they didn't enter the premises" or "had no intention of committing a crime".
What could be worse? A network of thieves that don't do their own dirty work but hires someone to poke around for them and report back anything they've found. What's worse? Putting an ad in a newspaper that exposes all of your home's/shop's vulnerable entry points without even bothering to notify you OR the police.
What could be EVEN WORSE? The company that owns the shop you're leasing also leases to the people next door that are doing the snooping!
This is essentially what Linode is currently doing - allowing so-called "research" entities to scan their own customer's servers.
I did not ASK for a security audit on my server. It's none of your business WHAT services I have running, what ports are being used OR what vulnerable app is being hosted on my server. And it's CERTAINLY not morally justified to post any of this information publicly. I get enough malicious traffic without "researchers" adding to the noise.