SMB Scans

Why am I receiving connection attempts on port 445 (SMB) of the

Technical University of Munich?

The Chair of IT Security and the Chair of Networking Architecture and Services is currently doing research on the spread of SMB Honeypots on the public Internet. In order to perform this research, every public IP address receives a connection attempt on port 445. If your host is responsive, we will send you a handful of packets. We tested the impact of these packets on various implementations of the SMB protocol (Windows and Linux) prior scan and consider them harmless to your system.

We never attempt to abuse security vulnerabilities on your system, guess for passwords or upload files to your systems.

We may collect information about your service running on port 445 as far they are publicly visible to everybody else on the Internet. Our connection attempt may be appear as a login attempt in some logs, however we do not attempt to actually gain access to your system.

Why are we collecting this data?

We hope that the data, we are collecting, helps us to understand the interactions between attackers and defenders on the Internet better. We are an academic institution and will try to publish all our findings to a wider audience. However, we will never publish parts of our dataset which clearly identifies you or your company. In the end, we hope that our research enables people to defend their computer networks better.

I do not want to be part of our research. How can I opt out?

You can just block connection attempts from our scanning system (IPv4: 138.246.253.8, IPv6: 2001:4ca0:108:42::8) or send us an e-mail and we will add you and your network to our blacklist.

Contact

If you have further questions about our research, please contact us at smb-scan@sec.in.tum.de.