Port scan from another DO address

March 22, 2016 621 views
Firewall DigitalOcean Arch Linux Debian Ubuntu

I am running a Debian droplet and I have shorewall installed. I block all ports except the ones I need. I use logwatch to keep an eye on my logs for any suspicious activity. I noticed a tcp sync scan to what appears to be every port from 1 to 65535. When I did a whois on the offending ip4 address the net block is assigned to digital ocean. Is this worth creating a trouble ticket for this? I use non-standard ports for services like ssh and of course this scan has revealed these ports to someone. Does DO care that one of their addresses is involved in a port scan like this? This appears to be the only time this address has appeared in my logs for the past month or so.

Thanks for any comments.


2 Answers

The port scan you saw in your logs was a part of a project right here at DO. I'll do my best to explain a bit more.
These scans should have little to no impact on your droplets -- They are simple port scans, as we do not wish to set off any alarms or be an inconvenience. If anything, we are trying our best to help provide a better experience for our customers going forward.

Our team set up a few port scans and we've been working with this data to see how we can be more proactive about helping our customers avoid having their droplets from being compromised. I apologize if this scan appeared to be malicious in any way. That certainly was not our intent. We'll be talking internally about how we can be more transparent about this as we move forward. Do you have any suggestions on steps we could take to make this more clear to you? Additionally, please let us know if you would like us to opt you out of this scan, and/or if you would like more information on this project.

  • Nick

    I applaud your and the staff at DO on taking this proactive effort in protecting your clients and your network infrastructure. I brought this up because it was an unusual scan and I thought that some client had been compromised or worse. It didn't seem like an event that deserved a trouble ticket. I didn't want to burden your staff with this question... that's why I thought I would use this forum first.

    I take network security very seriously. If you looked at the data returned by your scan of my DO ip you should only see a few ports open. The rest are blocked by shorewall's policy to drop all connections except that are allowed by rules. I moved ssh to another port just to keep from being banged with false login attempts. This port and others others I have also semi protected with fail2ban ... which as you may know is a real time log scanner with the ability to block ips that are attempting malicious acts. In my view this would be the minimum a client should do to protect their droplets. This is a linux/unix point of view. I consider windows a virus and stay away from it as much as possible.

    I don't need to be opted out of your project scans. I do think that a warning that you were doing this would be nice to get. Just like you warn of possible downtime due to network equipment updates. I can also see that you might be warning possible malicious clients of your investigations and have then suspend their malicious deeds until they think you are not looking. I would like to be kept up on your projects findings just to keep my amature network security interests piqued. I am an avid listener to Steve Gibson's Security Now podcast and would recommend it to you and your network staff just to keep up with the latest security news.



There's nothing dangerous about a scan. You have been scanned already many times.

If you want to report abuse, you should use as indicated in the WHOIS information for the IP address blocks.

By the way, this is why changing the default port of services like SSH is absolutely useless.

Have another answer? Share your knowledge.