I don't quite understand what this means: "out of the nearly 5 million banners in Shodan for Vietnam 1.5 million of them resolve to localhost." "there are a total of 1,528,188 banners in Shodan that resolve to localhost".
I can gather that this is the company Shodan, and that they make reports regarding internet connected devices, but what is a 'banner' is this instance?
or more accurately SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 which is the first thing a particular SSH daemon will send on receiving a connection from a client
Ah I've heard these referred to as 'login banners' or '<service name> banners' before. Thanks!
One wouldn't normally 'resolve a banner' though, since it might contains the version of a service used, and other information other than what a Unix `hostname` command would return. You'd resolve the hostname mentioned in the banner.
Shodan is a search engine for internet-connected devices. "Banners" in this context are "service banners", the metadata servers send about themselves to clients.
A banner is the result of Shodan crawling a service/ port on an IP. For example, a HTTP banner would be the HTTP Header that gets returned from a website ala:
HTTP/1.1 200 OK
Server: Apache
...
The banner includes metadata about the service/ software that is running on the device.
DNS works both ways. It has pointer (PTR) records which allow you to assosciate an IP address you control with a domain name. Those are the opposite of an address record (A) with which you assosciate a domain name you control with an IP address.
For Google.com, I can get an A record (IP address)
Google uses a service domain 1e100.net for their machines.
Although maybe OP only means the hostname in the banner message. I grepped my mail logs for hostnames from Vietnam and couldn't find any IPs that would resolve back to localhost.
When an isp gets a ip allocation, they specify the nameservers to use, and are responsible for that "subdomain" of the in-addr.arpa domain. If you trace the full resolve, it first goes to the root .in-addr.arpa servers, then arin.net nameserver, then finally you end up at:
;; AUTHORITY SECTION:
208.58.216.in-addr.arpa. 86400 IN NS ns3.google.com.
The OP article probably means rDNS lookup, where IP is resolved to DNS name. For consumer IP's it would look something like 12-23-45-234.gw123.vietnamtelecom.net.
Edit: which usually gives a better idea of the host's origin than raw IP.
Can someone explain how this link has made it to number one on the front page, when it seems from the comments that no one understands what the page is saying?
Based on some very rough sampling, a significant majority of the addresses allocated to VDC in the 123.16/16 network reverse resolve to localhost. This appears to be intended behavior, and accounts for ~70% of the numbers in the Shodan report.
In fact, if you go through the list of networks advertised by AS45899 [1], I imagine that you'd find this is the case for quite a few of them. A quick look indicates this to be true.
I don't know what they are referring to. I noticed that Vietnam Posts and Telecommunications Group owns 123.30.128.0/18 and 203.162.0.0/23 and a lot of IPs from those subnets have a PTR record of static.vdc.vn.
However, static.vdc.vn resolves to 203.162.0.78, not 127.0.0.1
There is another large network, 113.160.0.0/113.191.255.255 that seems to have PTR records of static.vnpt-hanoi.com.vn for all IPs, however that hostname has no A/AAAA record.
Pretty sloppy.
Looks like this has nothing to do with DNS, instead it's the hostname the machine displays in its banners for services like FTP or SSH.
Banner here seems to refer to the 'banner' output of ssh, or telnet, or some other service (those are the most likely however imho).
When you connect over services, the banner (the first information presented to the client, before authentication) can be configured to include the 'hostname' setting of the server you have connected to.
If I am right about that, this means that the hostname setting of the server is still set to localhost, as it is default out of the box until configured.
I don't know who the target audience is but I think the author should include a small parenthesis explaining "banner". I thought it was referring to their software crawling ad banners online or something.
Banner is whatever information a remote connection gives you when you connect.
For ssh that will be some information about the server, version of ssh, hostname, and (hopefully) a prompt to login, or a request for a key.
For http, it will be a handful of headers about the server.
Tools like Shodan scan the internet looking for active connections, and try to banner-grab on common ports, looking for details like server versions, operating system versions, etc for a long list of protocols like telnet, http, ssh, smtp, vnc, remote desktop (often with screenshots of the remote system, disturbing often unauthenticated straight to the desktop or running program), etc.
If you're of a malicious mindset, when a new vulnerability is discovered, or an old one, you can look up a list of vulnerable systems from the database, searching by service and version, rather than scanning the internet yourself.
How do “banners in Shodan [...] resolve to localhost”??? WTF??? This is quite cryptic. Luckily, I live not on Shodan, but on planet Earth where `localhost` resolves to 127.0.0.1.
I can gather that this is the company Shodan, and that they make reports regarding internet connected devices, but what is a 'banner' is this instance?