You should probably check on your smart appliances

3 min read Original article ↗

Published on , 1008 words, 4 minutes to read

TL;DR: is your refrigerator running malware? If so, you better catch it!

The scraping problem is worse than anyone can imagine and thanks to my friends at Sourceware we have some real data to prove it.

I've been working more on Anubis' reputation database and I've run into a really weird discovery: 80-90% of the hits created by the honeypot feature are from IP addresses that do not belong to any existing threat monitoring lists.

Here's a breakdown of the honeypot hits Sourceware has gotten in the last few months:

Assessment of ./data/manually-submitted/sourceware/202607141625.txt against ./var/reputationdb.mmdb

In case this interests you, I have put the full tables in Appendix A: Full tables for the reputation database input.

FieldValue
lines read2678193
skipped (non-IP):0
skipped (dupe):0
unique IPs:2678193
flagged (in db):286161 (10.7%)
clean (not in):2392032 (89.3%)

Flags (of flagged addresses)

FlagUnique IPsShare
is_vpn12640.4%
is_datacenter79182.8%
is_crawler460.0%
is_proxy25620.9%

Categories (6 distinct, of flagged addresses)

CategoryUnique IPsShare
abuse28218298.6%
datacenter79182.8%
proxy25620.9%
vpn12640.4%
crawler460.0%
tor170.0%

Providers (126 distinct, of flagged addresses)

Mara is hacker

ProviderUnique IPsShare
netshield23794583.2%
bitwire9653933.7%
magicteamc264759.3%
ipinsights173786.1%
threathive84222.9%
netmountains66732.3%
multacom26760.9%
fyvri24330.9%
cbuijs19160.7%
x4bnet12630.4%
solispirit12590.4%
dailyproxy11820.4%
blackwall10730.4%
hproxy10670.4%
scaleway9220.3%
fdo7550.3%
datacamp7020.2%
ebrasha6860.2%
hideip6280.2%
datacentres4800.2%
komutan4630.2%
aws4310.2%
m2473600.1%
firehol-level13540.1%
vpslab3310.1%
alibaba-cloud3190.1%
proxyscrape2720.1%
ovhcloud2680.1%

(remainder snipped for brevity)

Countries (229 distinct, of all addresses)

CountryUnique IPsFlaggedRate
Brazil (BR)270937182826.7%
India (IN)185091124786.7%
Saudi Arabia (SA)12037235743.0%
Mexico (MX)9544970537.4%
Türkiye (TR)8725855596.4%
Argentina (AR)86463952211.0%
Pakistan (PK)852411708320.0%
Vietnam (VN)78967884811.2%
Morocco (MA)6920118052.6%
Philippines (PH)66128789911.9%
Venezuela (VE)646701378021.3%
Iraq (IQ)620471361321.9%
Chile (CL)6087845227.4%
Colombia (CO)59579704811.8%
Bangladesh (BD)592451773529.9%
France (FR)4978213392.7%
Tunisia (TN)48535579911.9%
Uruguay (UY)458884300.9%
South Africa (ZA)43919743116.9%
United States (US)4082833478.2%
Indonesia (ID)38119612216.1%
Canada (CA)3734223346.3%
Spain (ES)3600829448.2%
Algeria (DZ)351125371.5%
Ukraine (UA)32261892027.6%

This doesn't list data from 204 additional countries. Given that the ISO 3166-1 standard comprises 249 countries (193 of which are UN members), it's safe to say this is a global problem.

ASNs (21116 distinct, of all addresses)

ASNUnique IPsFlaggedRate
AS55836 Reliance Jio Infocomm Limited5702917493.1%
AS45899 VNPT Corp56910683112.0%
AS6057 Administracion Nacional de Telecomunicaciones436943390.8%
AS25019 Saudi Telecom Company JSC408006791.7%
AS24560 Bharti Airtel Ltd., Telemedia Services3595716204.5%
AS36903 Office National des Postes et Telecommunications ONPT (Maroc Telecom) / IAM355626681.9%
AS36947 Telecom Algeria331723861.2%
AS9121 Turk Telekom3274214654.5%
AS8151 UNINET320128562.7%
AS14593 Space Exploration Technologies Corporation31569459714.6%
AS9299 Philippine Long Distance Telephone Company2757316265.9%
AS39891 Saudi Telecom Company JSC259047943.1%
AS35819 Etihad Etisalat, a joint stock company244939784.0%
AS28573 Claro NXT Telecomunicacoes Ltda239038413.5%
AS8193 Uzbektelekom Joint Stock Company22611319114.1%
AS8452 IDDQD-AS223693641.6%
AS43766 Mobile Telecommunication Company Saudi Arabia Joint-Stock company220389684.4%
AS9541 Cyber Internet Services (Pvt) Ltd.21386369617.3%
AS37705 TOPNET200242221.1%
AS11664 Techtel LMDS Comunicaciones Interactivas S.A.180218834.9%
AS17072 TOTAL PLAY TELECOMUNICACIONES, S.A.P.I. DE C.V.1802111816.6%
AS22927 Telefonica de Argentina176722911.6%
AS13999 Mega Cable, S.A. de C.V.174106924.0%
AS36925 MEDITELECOM172593832.2%
AS47331 Turk Telekom17211260.2%

There are 18069 more ASNs not listed.

How Anubis' honeypot works

In order to collect data on how widespread the scraper problem is, I added a honeypot feature to Anubis. On every challenge page it adds semantically invalid HTML akin to the following:

<script type="ignore">
  <a href="/.within.website/x/cmd/anubis/api/honeypot/<uuidv4>/init">Don't click me</a>
</script>

Visiting that page gets you cheap to generate vacuous anti-content that has two links to other pages. This is intended to get badly written scrapers caught in the honeypot so they scrape that instead of the protected website. I made it on a whim but thought it would be great for collecting data on how widespread this problem actually is.

This is a global problem

Based on the data I've seen, this is a global problem. If I had to guess where most of this traffic is coming from, it's from compromised smart appliances contributing traffic to proxy networks. I don't think there's any way to make a real impact on this problem without concerted simultaneous global action.

TL;DR: the scraping problem is actually widespread enough that web application firewalls like Anubis make sense.


Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Tags:

Copyright 2012-2026 Xe Iaso. Any and all opinions listed here are my own and not representative of any of my employers, past, future, and/or present.

Served by xesite v4 (/app/bin/xesite) with site version 4a28bfc6 , source code available here.