Censys hack?

I use Cloudflare for a self hosted website. I have only Cloudflare IPs allowlisted for incoming traffic at the router.

When I looked at the “Active Sessions” on my router, I see that all of the source IPs are local LAN IPs except one. This one is

Source IP: 167.94.138.134:26297
Destination IP: MY PUBLIC WAN IP :4500
Protocol: UDP

That IP seems to belong to something called censys.

I assume this is a hack because in no universe should an external censys IP be listed as a SOURCE IP on my LAN right?

So then, what exactly are they trying to do here, how did they get into the network like this and what can be done about such?

Censys is a threat intelligence company and scans the IP space as well as websites. They’ve just scanned past your public IP on UDP port 4500 which is one of the ports they check…

1 Like

Well I certainly do not appreciate them doing that.

Though I am not sure on that. As stated, only cloudflare IPs are allowlisted on the incoming traffic side. So any incoming requests from 167.94.138.134 would be dropped.

The particularly concerning thing is that 167.94.138.134 shows as the SOURCE IP address. All other active sessions are ALWAYS my local LAN IP range. How is an EXTERNAL IP acting as the SOURCE IP on my LOCAL LAN?

A “scan” would be an external IP address (that’s blocked in this case) scanning as an incoming connection. This is external IP is the SOURCE IP…

Put differently, traffic from my local area network (LAN) is coming from the external IP 167.94.138.134 and I don’t understand how that is even possible outside of spoofed IP or something installed on my server communicating out…

“Source” refers to where the packet came from, not the direction it’s travelling. The source was Censys, the destination was your router public IP. So incoming traffic.

On the router? Are you blocking UDP? The record is in the log so whatever you have configured, the packet arrived.

I wouldn’t worry about it. You can block the Censys IP ranges or ASNs if you don’t want these scans.

1 Like

Once again, I have everything incoming blocked on all ports, on all protocols on the router (origin server), besides these IPs → IP Ranges

Please stop suggesting to block IPs that are already blocked.

I called the router manufacturer and they said that on that screen there should only be local network IPs as the source or VPN connections. VPN is not enabled so they have escalate this to their security team to confirm there is 0 reason this censys IP would be a source IP. The fact port 4500 is IPSEC VPN, it seems censys is bypassing the blocked IP by somehow intruding via IPSEC VPN.

I have monitored that screen for the past while now and that censys IP is the only one that has ever shown in the source besides LAN IPs and there has been quite a bit of other incoming traffic of various sorts.

I personally believe that censys (backed by google $$) is an malicious hacker. Others are of course welcome to their views as well.

For now I have now blocked all OUTGOING traffic besides my local LAN IP range so that should prevent this until I can figure out what sneakiness they are pulling here to bypass the block. At least this hopefully sheds some light on their shady practices.

Censys certainly aren’t hacking into your network through your router, then making outbound connections, spoofing their own IP internally to get out to connect to your public IP.

More likely, your router burped and has logged a packet incorrectly or had some other issue which recorded or let through the packet.

1 Like

Fair enough. Especially considering there are already 2 hotfixes for the router from security vulnerabilities I identified. Thank you for taking the time to help on this matter, I appreciate it.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.