Weird Log Record from researchscan1.eecs.berkeley.edu (169.229.3.91) - is this a hack attempt?
We're all being scanned by researchers at Berkeley.edu
Is this a hack attempt ?
This is a research scan performed by the University of California at Berkeley:
This is a research scanning machine from the University of California at Berkeley. This machine regularly conducts scans of the entire Internet so you may have been scanned as part of an ongoing research project.
The primary contact for this project is Bill Marczak (wrm at icsi dot berkeley dot edu) and the advisor for the project is Vern Paxson.
If you have been or are currently being scanned and would like to opt out, please email wrm at icsi dot berkeley dot edu with the IP ranges you would like to exclude in CIDR format.
If you have been or are currently receiving DNS requests, ICMP echoes, or TCP SYNs and would like to opt out, please email bjones99 at gatech dot edu with the IP ranges you would like to exclude in CIDR format.
Regarding your question, assuming the scanning machine is not compromised, then I don't think it's a hack attempt. It's probably just a check to see if you are hacked.
In many countries, conducting scans which attempt to hack random machines is illegal. An upstanding, well-known university would not be able to get away with breaking the law on such an epic scale.
You can opt-out of the scans if you like, or just block their scanners in your firewall. I've listed the additional scanner addresses at the end.
Legitimate uses for scanning
It's certainly possible that they're attempting to assess whether or not your machine is infected by a particular strain of malware. This is not the same as a hacking attempt. There are legitimate research reasons to know whether or not a machine is infected by some type of endemic malware.
When you read an article in the news which states how many computers worldwide are infected by certain types of malware, where do you think they get the numbers from? Scanners like these are one of the many different ways to obtain that data.
There are other scanners
Below is a list of other addresses they use
169.229.3.90 - researchscan0.eecs.berkeley.edu
169.229.3.91 - researchscan1.eecs.berkeley.edu
169.229.3.92 - researchscan2.eecs.berkeley.edu
169.229.3.93 - researchscan3.eecs.berkeley.edu
169.229.3.94 - researchscan4.eecs.berkeley.edu
Update with Response from Berkeley
I contacted the folks in charge, and this is their response:
We are performing a measurement study of a particular phenomenon on the Internet. To accurately asses the behavior we're performing a daily scan of the IPv4 space by sending a single benign packet to every IP on port 80 consisting of 64 random bytes of data. [...] No, we are not attempting to gain unauthorized access. [...] It's simply randomly generated data that conforms to a certain set of criteria.
Vern Paxson's paper of 2015 is titled "Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks".
Abstract—We introduce temporal lensing: a technique that concentrates a relatively low-bandwidth flood into a short, high- bandwidth pulse. By leveraging existing DNS infrastructure, we experimentally explore lensing and the properties of the pulses it creates. We also empirically show how attackers can use lensing alone to achieve peak bandwidths more than an order of magnitude greater than their upload bandwidth. While formidable by itself in a pulsing DoS attack, attackers can also combine lensing with amplification to potentially produce pulses with peak bandwidths orders of magnitude larger than their own
Make of that whatever you like, his research is clearly in the offensive part of the spectrum. If anyone's bothered enough, please feel free to contact Berkeley's Compliance, Accountability, Risk and Ethics (CARE) Committee at [email protected] or (via https://compliance.berkeley.edu/contact)
Antony McKnight, Compliance Officer
Office of Ethics, Risk and Compliance Services
Office of the Chancellor
Please note that this answer is deliberately made community wiki since it contains ancillary information that cannot be put into a comment. Mark Buffalo was the first to find out the nature of the scan, and IMHO should have his answer upvoted & accepted.
Update: his funders are ahem interesting
https://dx.doi.org/10.1145/2766330.2766335 : NSF (CNS-1111672) | DHS/ARL (W911NF-05-C-0013)
https://dx.doi.org/10.1145/2815675.2815690 : NSF (1223717, 1518918, 1540066, 1518882)
https://dx.doi.org/10.1145/2742647.2742675 : NSF (1213157, 1111672, 1237265)
https://dx.doi.org/10.1145/2785989.2786002 : DHS (N66001-12-C-0128), NSF (CNS-1111672,CNS-1237265,CNS-1213157)
From the looks of it this research is DHS-funded, so don't hold your breath while waiting for Berkeley Compliance & Ethics team to kick in.
Current grant he's on seems to be "II-New: Enabling Security Analysis at Scale"
This project will provide the computing equipment through an infrastructure grant that will enable greater capability for analysis of empirical social and economic phenomena, mediated in cyberspace such as, for example, massive online social networks, malicious web content, and underground cybercrime markets. The popular online sites like Facebook and Twitter connect literally billions of people; however, entirely new threats to such sites have emerged driven by cybercrime. In the absence of effective defenses, online social ecosystems today suffer. The empirical study of these threats and mitigating strategies in today's enormous web infrastructure requires a highly scalable and capable cyber infrastructure. Better understanding these complex cyber ecosystems, made possible through this equipment grant, will lead to new insights for making cyberspace safer.
If you ask me, this abstract smells utter BS. Scanning the entire Internet with crafted packets != making cyberspace safer.