2024-09-23 03:27:21.227 1 => <31:CensysIO(-1)> Authenticated 2024-09-23 03:27:21.344 1 => <31:CensysIO(-1)> Connection closed: The TLS/SSL connection has been closed [1]
How far does Censys actively probe services to where it is more invasive than necessary?
They explain their scanning on a support page which can be read in full here
You can also read about how to opt out of their scanning here
I have included part of their Scanning Support page below that may be most relevant to your question
How Does Censys Scan?
Censys includes multiple global perspectives and sophisticated scanning techniques to produce the richest, most useful data set for the security community.
Global Scanning PerspectivesCensys peers with and scans from 5 Tier-1 ISPs (NTT, Tata, Hurricane Electric, Telia, Orange) to produce nearly 99% coverage of listening hosts across the globe with enhanced protection against packet drop.
The ISP that Censys scanned any given service from is recorded in the services.perspective field.
Deep Protocol ScansOn ports with IANA-assigned protocols, Censys tries to complete a handshake with the assigned protocol (for example, Telnet on port 23). If that fails, we try additional handshakes based on our experience with protocol and port pairings.
On ports without an assigned service, we start by sending an HTTP request and try to automatically detect the protocol based on the response.
Predictive ScanningPredictive scanning provides coverage of 65k ports across all possible IP and port combinations. Predictive scanning enhances the Censys Internet Map. With Predictive scanning, security teams have better visibility into all 65k ports, enabling faster detection of services. Predictive Scanning adds over 107M new services to the nearly 3 billion global Internet services that Censys continuously monitors.
Predictive scanning accounts for over 40% of all services Censys finds on the Internet today.
Predictive scanning typically discovers services such as:
-
-
-
Automatic Protocol DetectionServices from Internet of Things (IoT), which businesses are leveraging for growth but also present high risk due to lagging security standards.
Autonomous Systems only running services on non-standard ports that attackers might use to host malicious infrastructure and hide from scanners.
A massive proliferation of newer services by vendors like online portals, data analysis tools, and business productivity enhancers. These services are especially popular in hybrid and remote environments that are typically run on high, non-standard ports.
The Censys scanner analyzes every server response to identify its service, even if it’s non-standard for the port, allowing us to uncover the vast majority of services in unexpected places.
For example, if an HTTP request results in an SSH banner, Censys closes the HTTP connection and reattempts an SSH handshake.
Censys can detect 25 protocols on any port. They are indicated in the list below with a (1).
Lightweight Protocol ScansSome protocols do not have a lot of data to parse and index.
Censys identifies 47 lightweight services and collects a banner. They are indicated in the list below with a (2).
source: Censys-Internet-Scanning-Introduction
What’s interesting is they’re doing a full connection with a client now that can get a list of channels and list of users on the server talking to each other and their state muted/deafened
okay, but if you run something on the open internet, you must be prepared for that to happen. If you are concerned, follow their opt-out guide https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection
To me this is a non-issue.
Yeah, it’s not an issue just interesting because it’s unexpected
Similarly to other well intentioned internet wide scanning operators like shodan or leakix or zoomeye for an internet wide scanning service that is as well established as censys is it seems like this would be expected behaviour I think.
[Comment removed by author]