These connections are part of an Internet-wide research study being conducted by computer scientists at RWTH Aachen University. The research involves making benign connection attempts to every public IP address. By measuring the entire public address space, we are able to analyze global patterns and trends in protocol deployment and security as well as device configuration and security.
As part of this study, every public IP address receives a handful of packets per week. Depending on the protocol we're scanning we select a specific port. On this port we perform regular TCP connection attempts followed by specification-compliant handshakes with responsive hosts. If a handshake succeeds we query for openly available information via a few requests. We never attempt to exploit security problems or change device configuration. We only receive data that is easily available to anyone who connects to a particular address and port.
We may send authentication requests using publicly known default credentials. We do not use valid credentials for anything else besides confirming their validity. Currently, this only affects RabbitMQ. Please refer to the RabbitMQ manual for instructions on how to change credentials.
The data collected through these connections helps computer scientists study the deployment and configuration of network protocols and security technologies. For example, we use it to analyze usage of industrial control protocols and support their secure deployment. In some cases, we are able to detect vulnerable systems and report the problems to the system operators.
To have your host or network excluded from future scans conducted by RWTH Aachen University, please contact researchscan@comsys.rwth-aachen.de with your IP address or CIDR block. Alternatively, you can configure your firewall to drop traffic from the subnets we use for scanning: 137.226.113.0/26 and 2a00:8a60:1014:88::1/64.