[signalblur]

Greynoise and others have shell companies and spin up exposed infra specifically to pick up scanning activity.

They have them all over the world to get attackers scanning only certain regions etc.

I should also note - I’m extremely skeptical of the OPs claims or inference that the attackers have potentially fingerprinted greynoises sensors. To suggest this while some traffic increased from specific ASN’s seems unlikely that this was the case.

If it’s not clear - this was written by a competitor of theirs.

[RupertSalt]

If you want a disinterested perspective from the Research & Education community, look to CAIDA, the Center for Applied Internet Data Analysis: https://www.caida.org/

Also I just found "Hawkeye" the author of TinyFugue, Ken Keys, employed here! Cool beans!

[ericpauley]

CAIDA is doubtless a gold standard. One thing to note, however, is that the same vantage point avoidance issue applies even more to publicly-documented vantage points. In fact, it was concerns specifically about adversarial avoidance of academic telescopes that led to our research at UW-Madison and eventually to Terrace.

When looking at telescope data like CAIDA’s UCSD-NT, it’s also important to remember that source IPs can be spoofed absent a valid handshake, something that both our and GreyNoise’s analysis accounts for.

[ericpauley]

We cannot know for certain what the root cause is. However, honeypot fingerprinting is a well-known risk for any vantage point, particularly a high-profile one.