Skip to main content
root@rebel:~$ cd /news/threats/analyzing-internet-background-radiation-and-automated-scanning-trends_
[TIMESTAMP: 2026-06-25 09:22 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: MEDIUM]

Analyzing Internet Background Radiation and Automated Scanning Trends

MEDIUM Threat Intel #automated-scanning#botnets#Mirai
AI-Assisted Analysis
READ_TIME: 3 min read
// executive briefing tl;dr
  • [01] Automated scanners constantly probe internet-facing IP addresses to identify and exploit vulnerabilities in unpatched devices and services.
  • [02] Impacted systems include home routers, IoT devices, and enterprise services exposed via ports like 23, 80, 443, and 5060.
  • [03] Organizations must implement strict firewall rules and disable unnecessary services to mitigate the risk from persistent automated cybercrime.

Internet background radiation refers to the persistent volume of unsolicited packets that target almost every publicly reachable IP address. These packets are not usually the result of a human operator manually targeting a network; instead, according to SANS ISC, they are the output of automated scanning infrastructures and botnets. This automated cybercrime ecosystem continuously probes the global IP space to identify misconfigurations and unpatched CVE entries that can be leveraged for further exploitation.

CVE-2017-17215 Vulnerability Analysis in Automated Traffic

A primary driver of this background noise is the proliferation of the Mirai botnet and its various descendants. These botnets scan for specific vulnerabilities to expand their footprint. One such vulnerability frequently seen in automated traffic is CVE-2017-17215, an RCE flaw in Huawei HG532 routers. By sending malicious packets to the Universal Plug and Play (UPnP) service on port 37215, attackers can execute arbitrary code. This specific exploit allows botnets to gain control of consumer-grade routers, which are then integrated into a C2 infrastructure to launch DDoS attacks.

Beyond Mirai, the Mozi botnet has also been observed utilizing similar TTP patterns, targeting both outdated vulnerabilities and weak credentials. Another frequently identified flaw in scanning data is CVE-2014-2321, which affects ZTE F460 and F660 modems. This vulnerability allows for unauthorized access to sensitive information, highlighting that even decade-old flaws remain active targets for automated scanners.

Port Analysis and Common Targets

Data from honeypots and darknets reveals that certain ports attract significantly higher volumes of traffic. Port 23 (Telnet) remains a top target despite being largely deprecated in professional environments, as botnets seek out IoT devices with default credentials. Ports 80 and 443 are also heavily scanned as attackers look for vulnerable web applications, XSS opportunities, or misconfigured servers.

In addition to these, port 5060 (SIP) is frequently probed by scanners looking for VOIP systems to exploit for toll fraud or unauthorized access. Port 3389 (RDP) is another high-value target; attackers frequently use automated tools to perform brute-force attacks in hopes of gaining an initial foothold for Ransomware deployment.

Detection and Defense Strategies

For security professionals, understanding how to detect automated port scanning is essential for separating global noise from targeted activity. Security teams should monitor SIEM logs for high-frequency connection attempts from a single source IP across a wide range of destination ports or IPs. This behavior is a classic IoC of an automated scanner.

To effectively manage the risk, organizations should adopt a Zero Trust architecture, ensuring that no internal service is exposed to the public internet without strong authentication. Effective Mirai botnet exploit mitigation involves disabling unused services such as UPnP and Telnet on all gateway devices. Furthermore, a modern SOC should prioritize the patching of internet-facing assets based on exploitation trends seen in the wild, rather than relying solely on base scores. Implementing geo-blocking for regions where the organization does not conduct business can also significantly reduce the volume of incoming automated noise.

Advertisement