When Shodan launched, people freaked out. “How dare you scan my device connected to the public internet,” freaker-outers griped. Yet Shodan is a benign scanner and useful for many defensive tasks. (Maybe don’t connect those devices to the internet? Just sayin’.)
Shodan is by no means the only scanner sweeping the entire IPv4 address space, all 4.2 (and a bit) billion of ’em. So do Censys, Sonar and ShadowServer. Like Shodan, they scan noisily from fixed IP subnets and announce their intentions.
Benign scanners make up less than a fraction of 1 percent of all internet scanners, however, according to Andrew Morris at GreyNoise. Of the rest, 10 to 20 percent are known malicious — Mirai botnet, anyone? — and in search of vulnerable devices to compromise. The rest are, well, “grey noise.”
Are the scanners in your logs in search of an opportunistic target? Or are they scanning your organization specifically as recon for an attack? To answer this question, Morris launched GreyNoise.