Portscanning from 1.1.1.1

Is the 1.1.1.1 address used by Cloudflare to do internet portscanning, e.g. looking for open telnet services?
Or is any such traffic to be considered as spoofed source address?

That would either be spoofed or from a local hardware device that’s improperly using 1.1.1.1 for an IP address.

3 Likes

It is incoming traffic like this:
Capturing on ‘eth0’
1 19:41:30.010145 1.1.1.1 -> x.x.x.xTCP 60 23230→8080 [SYN] Seq=0 Win=14600 Len=0
2 19:41:30.010202 x.x.x.x -> 1.1.1.1 ICMP 82 Destination unreachable (Communication administratively filtered)
3 19:49:24.021127 1.1.1.1 -> x.x.x.x TCP 60 48297→23 [SYN] Seq=0 Win=14600 Len=0
4 19:49:24.021155 x.x.x.x -> 1.1.1.1 ICMP 82 Destination unreachable (Communication administratively filtered)

Quite low volume but present all day.

In which environment does this server run? Do the requests come from the MAC address of your gateway?

1 Like

It is running in a datacenter. Yes, the traffic comes from internet. There are no local machines on the port that eth0 is connected to.

What precisely do you mean by that? What is the network topology in this particular case?

There is a VLAN in the datacenter running to a router in the ISP area where this machine is connected.
So it is not another system locally who is sending those probes. It is someone on the internet.
It is either the real 1.1.1.1 or it is someone spoofing to be that.
However, I think that is unlikely, because they would not receive back the replies so there is no real point in doing that.
There are so many “research” and “information” systems all over the internet that are portscanning all the time, that it is not at all unusual.
However, my question is if Cloudflare is also running such an operation, for whatever reason.

No we are not.

4 Likes

Ok, thanks. It must be an imposter.

2 Likes

I saw the same imposter scanning me a year ago:

https://twitter.com/danspils/status/982584548956491776