Imagine strangers knocking on your door, tapping on windows, rattling on the roof, and scraping against walls continuously. This is akin to what an internet router experiences. My router, as well as yours, is being probed from outside around 6,000 times a day.
Like many home internet users, I was unaware of thousands of unsolicited attempts to connect to my internet router every day. Basic router firewalls do not log this activity and drop any connection attempts silently. Unless they don’t and hackers get in.
Only after testing the router with the prosumer pfSense firewall installed did I notice logs accumulating very quickly. Every minute, there are at least a few port scanning attempts. Think of ports as virtual places that help computers sort the network traffic. Some port numbers are used for regular web packets, some for mail, etc.
Like all casual users, I have no ports exposed and no running services on my network. Not even a static IP address.
Yet I still receive all this bombardment with requests, which is considered to be a “network noise” poking for any potential vulnerability. These probes are produced by hackers, security researchers, or network mapping tools used by both.
Should you care? Yes, especially if your router is old and vulnerable.
What’s going on?
Oren Koren, co-founder and CPO of Veriti, explains that many of the probes come from automation tools like Shodan and Censys, which constantly scan the entire internet and index if they find any exposed ports, connected devices, or systems.
Other probes can be a lot more sinister.
“Attackers can probe from the outside and are trying to do it. But every few hours, those vendors scan the entire internet to map exposed assets, the active vulnerabilities they have, and other metrics,” Koren said.
He divided all scans coming from the internet into four pillars as follows:
- Mapping tools: Shodan and Censys are the leaders in this area. They sell services to access mapped network data, which attackers leverage for reconnaissance.
- Targeted attacks: If the IP is targeted, hackers scan it repeatedly from outside to locate a security gap and leverage it for external access to the network.
- “Spray and pray” attacks: Both resourceful attackers and “script kiddies” will scan every network they can to find a way in and steal. They don't care what’s on the other side.
- Organizational tools. Security researchers, incident response teams, and Security Operations Center teams use various tools to understand threats and exposures. They scan the network in parallel to commercial tools.
Should you be worried about your router being scanned?
“Everyone should be concerned about port scanning, but most modern firewalls, including home-use firewalls, have default settings that prevent low-level attacks,” said Rob Allen, Chief Product Officer at ThreatLocker.
“Threat actors probe for vulnerable ports, like Remote Desktop Protocol (RDP), across a wide range of IPs. The reason they scan for these ports is to leverage them for attacks, especially if they have access to leaked credentials or are exploiting unpatched devices.”
Attackers previously exploited device vulnerabilities to access devices without any authentication by sending specially crafted HTTP requests.
“These probes can absolutely affect unpatched or unsupported routers, as we saw with CVE-2018-13379, which affected unpatched FortiGate devices – a vulnerability from 2018 that was still being leveraged well into 2023,” Allen said.
While many modern rotors and firewalls have security features to detect port scanning, once in a while, newly discovered zero-days or other vulnerabilities may lead to a compromise.
Can this affect my internet speed?
Common network noise minimally impacts an internet router's performance – it can handle many more requests than a few per minute. In theory, attackers could also launch denial of service (DoS) attacks.
“It only becomes troubling based on the volume. Think of it like a traffic jam – unless your ISP stops these attacks upstream before they reach your firewall, there’s not much you can do, as it’s saturating your bandwidth,” Allen explains.
However, home users are rarely targeted by a denial of service (DoS) attack that could have an impact.
“A home user is not a target by design due the fact that they can change their IP and move on in their life. Also, the attacker will need to pay for the DOS service, and it is a waste of time to attack a home user,” Koren added.
Is the situation getting worse?
Yes. According to the F5 Labs report, last year saw a 94% increase in total network scanning activity. Part of this is explained by newly discovered critical vulnerabilities, such as those affecting TP-Link Archer AX21 devices and enabling attackers to inject commands and run them in root with a simple POST request.
Botnets are constantly on the hunt for new vulnerable routers and vulnerability exploit attempts dominate the routers scanning.
“We think it’s fair to say that this indicates a notable change, and everyone should expect to see more web scanning in the future, as this trend does not seem to be on track to abate any time soon, with 2025 data showing a continuing high level of activity,” F5 Labs said.
Experts warn that higher-value targets experience more probes.
“Based on Veriti research, for 1K organization size, the organization will be scanned 40 million times a month,” Koren said.
And the scanning tools will come back constantly.
“Maybe today all of the ports are closed, but tomorrow, maybe someone will make a mistake – they are looking for it,” Koren added.
Even a single open port on a router can significantly increase the outside interest in publicly exposed IP.
“There’s a good chance that, regardless of whether you have exposed ports or not, your IP range could be subject to port scanning,” Allen from ThreatLocker said.
Scans can come from any country and the scanning infrastructure is primarily located on hosting providers.
What can you do against port scanning?
Not much.
Users should always make sure that their firewalls are enabled and drop any requests from the network. All network equipment software and firmware should be updated. Regular updates, proper configuration, and monitoring are the key things that keep the attackers from inside your network.
“Ultimately, unless your ISP is blocking probe attempts, there’s not much you can do to stop them from happening. The best defense is ensuring that unwanted traffic is being denied,” Allen explains.
“Seeing a lot of denials or dropped connections in a short period is usually a good indicator. Depending on the device, the logs might indicate the country from which the attack originated, which can also be a useful clue.”
Koren assures that “in all cases, you need to drop all connections” unless you are running a certain service, such as a website or email server. Koren noticed that even organizations often do not block probing at all.
“The security vendors don't have the ability to map an IP as a scanner. They are looking at the traffic patterns and not IP reputation,” Koren observed.
For larger organizations, “honeypot” networks may also be useful to observe how attackers proceed.
Your email address will not be published. Required fields are markedmarked