You should probably check on your smart appliances

💥 Check out this insightful post from Hacker News 📖

📂 **Category**:

📌 **What You’ll Learn**:

Published on , 1008 words, 4 minutes to read

TL;DR: is your refrigerator running malware? If so, you better catch it!

The scraping problem is worse than anyone can imagine and thanks to my friends at Sourceware we have some real data to prove it.

I’ve been working more on Anubis’ reputation database and I’ve run into a really weird discovery: 80-90% of the hits created by the honeypot feature are from IP addresses that do not belong to any existing threat monitoring lists.

Here’s a breakdown of the honeypot hits Sourceware has gotten in the last few months:

Assessment of ./data/manually-submitted/sourceware/202607141625.txt against ./var/reputationdb.mmdb

In case this interests you, I have put the full tables in Appendix A: Full tables for the reputation database input.

Field Value
lines read 2678193
skipped (non-IP): 0
skipped (dupe): 0
unique IPs: 2678193
flagged (in db): 286161 (10.7%)
clean (not in): 2392032 (89.3%)

Flags (of flagged addresses)

Flag Unique IPs Share
is_vpn 1264 0.4%
is_datacenter 7918 2.8%
is_crawler 46 0.0%
is_proxy 2562 0.9%

Categories (6 distinct, of flagged addresses)

Category Unique IPs Share
abuse 282182 98.6%
datacenter 7918 2.8%
proxy 2562 0.9%
vpn 1264 0.4%
crawler 46 0.0%
tor 17 0.0%

Providers (126 distinct, of flagged addresses)

Mara is hacker
Provider Unique IPs Share
netshield 237945 83.2%
bitwire 96539 33.7%
magicteamc 26475 9.3%
ipinsights 17378 6.1%
threathive 8422 2.9%
netmountains 6673 2.3%
multacom 2676 0.9%
fyvri 2433 0.9%
cbuijs 1916 0.7%
x4bnet 1263 0.4%
solispirit 1259 0.4%
dailyproxy 1182 0.4%
blackwall 1073 0.4%
hproxy 1067 0.4%
scaleway 922 0.3%
fdo 755 0.3%
datacamp 702 0.2%
ebrasha 686 0.2%
hideip 628 0.2%
datacentres 480 0.2%
komutan 463 0.2%
aws 431 0.2%
m247 360 0.1%
firehol-level1 354 0.1%
vpslab 331 0.1%
alibaba-cloud 319 0.1%
proxyscrape 272 0.1%
ovhcloud 268 0.1%

(remainder snipped for brevity)

Countries (229 distinct, of all addresses)

Country Unique IPs Flagged Rate
Brazil (BR) 270937 18282 6.7%
India (IN) 185091 12478 6.7%
Saudi Arabia (SA) 120372 3574 3.0%
Mexico (MX) 95449 7053 7.4%
Türkiye (TR) 87258 5559 6.4%
Argentina (AR) 86463 9522 11.0%
Pakistan (PK) 85241 17083 20.0%
Vietnam (VN) 78967 8848 11.2%
Morocco (MA) 69201 1805 2.6%
Philippines (PH) 66128 7899 11.9%
Venezuela (VE) 64670 13780 21.3%
Iraq (IQ) 62047 13613 21.9%
Chile (CL) 60878 4522 7.4%
Colombia (CO) 59579 7048 11.8%
Bangladesh (BD) 59245 17735 29.9%
France (FR) 49782 1339 2.7%
Tunisia (TN) 48535 5799 11.9%
Uruguay (UY) 45888 430 0.9%
South Africa (ZA) 43919 7431 16.9%
United States (US) 40828 3347 8.2%
Indonesia (ID) 38119 6122 16.1%
Canada (CA) 37342 2334 6.3%
Spain (ES) 36008 2944 8.2%
Algeria (DZ) 35112 537 1.5%
Ukraine (UA) 32261 8920 27.6%

This doesn’t list data from 204 additional countries. Given that the ISO 3166-1 standard comprises 249 countries (193 of which are UN members), it’s safe to say this is a global problem.

ASNs (21116 distinct, of all addresses)

ASN Unique IPs Flagged Rate
AS55836 Reliance Jio Infocomm Limited 57029 1749 3.1%
AS45899 VNPT Corp 56910 6831 12.0%
AS6057 Administracion Nacional de Telecomunicaciones 43694 339 0.8%
AS25019 Saudi Telecom Company JSC 40800 679 1.7%
AS24560 Bharti Airtel Ltd., Telemedia Services 35957 1620 4.5%
AS36903 Office National des Postes et Telecommunications ONPT (Maroc Telecom) / IAM 35562 668 1.9%
AS36947 Telecom Algeria 33172 386 1.2%
AS9121 Turk Telekom 32742 1465 4.5%
AS8151 UNINET 32012 856 2.7%
AS14593 Space Exploration Technologies Corporation 31569 4597 14.6%
AS9299 Philippine Long Distance Telephone Company 27573 1626 5.9%
AS39891 Saudi Telecom Company JSC 25904 794 3.1%
AS35819 Etihad Etisalat, a joint stock company 24493 978 4.0%
AS28573 Claro NXT Telecomunicacoes Ltda 23903 841 3.5%
AS8193 Uzbektelekom Joint Stock Company 22611 3191 14.1%
AS8452 IDDQD-AS 22369 364 1.6%
AS43766 Mobile Telecommunication Company Saudi Arabia Joint-Stock company 22038 968 4.4%
AS9541 Cyber Internet Services (Pvt) Ltd. 21386 3696 17.3%
AS37705 TOPNET 20024 222 1.1%
AS11664 Techtel LMDS Comunicaciones Interactivas S.A. 18021 883 4.9%
AS17072 TOTAL PLAY TELECOMUNICACIONES, S.A.P.I. DE C.V. 18021 1181 6.6%
AS22927 Telefonica de Argentina 17672 291 1.6%
AS13999 Mega Cable, S.A. de C.V. 17410 692 4.0%
AS36925 MEDITELECOM 17259 383 2.2%
AS47331 Turk Telekom 17211 26 0.2%

There are 18069 more ASNs not listed.

How Anubis’ honeypot works

In order to collect data on how widespread the scraper problem is, I added a honeypot feature to Anubis. On every challenge page it adds semantically invalid HTML akin to the following:

<script type="ignore">
  <a href="/.within.website/x/cmd/anubis/api/honeypot//init">Don't click me</a>
script>

Visiting that page gets you cheap to generate vacuous anti-content that has two links to other pages. This is intended to get badly written scrapers caught in the honeypot so they scrape that instead of the protected website. I made it on a whim but thought it would be great for collecting data on how widespread this problem actually is.

This is a global problem

Based on the data I’ve seen, this is a global problem. If I had to guess where most of this traffic is coming from, it’s from compromised smart appliances contributing traffic to proxy networks. I don’t think there’s any way to make a real impact on this problem without concerted simultaneous global action.

TL;DR: the scraping problem is actually widespread enough that web application firewalls like Anubis make sense.


Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Tags:

⚡ **What’s your take?**
Share your thoughts in the comments below!

#️⃣ **#check #smart #appliances**

🕒 **Posted on**: 1784093534

🌟 **Want more?** Click here for more info! 🌟

By

Leave a Reply

Your email address will not be published. Required fields are marked *