Woke up this am to a twitter response from @achillean, my wish was granted, we have a Canada dashboard in Shodan now. Sweet. Thanks John! (since you have some time on your hands, have you considered doing an AWS vs Azure vs Google vs Digital Ocean dashboard? 🙂
Now, lets take a look. As you might expect, since its not normalised, the provinces tend to follow the population. If we look at the normalised field (SMB Auth), we see it suggests 30% of the SMB endpoints in Canada are non-authenticated, vs 9% in the US. Also as a difference Canada v US is port 500 (typically used in ipsec). There's lots of it in Canada, #3 on the list. Lets do a query. Yes, indeed, they seem to all be doing an IPSEC IKE (Internet Key Exchange). I even see my own IP address in there. Hmm. Why would we have 570K ipsec endpoints in Canada? 414K of these are on Rogers alone.
So, 570K in Canada, lets do a quick normalise. Canada's population is 36.29M according to the 2016 Census, so 1 person in 64 is running ipsec. If we narrow that down a bit more, 414K on Rogers, and assume this is strictly on the fixed network (could be mobile I suppose, but i'm skeptical, too many NAT etc in the way), we find from Roger's most recent factsheet that they have 2.0M Internet subscribers on the fixed. That would mean that 414K/2.0M == ~20%, 1 in 5 Rogers fixed customers run ipsec. I don't want to say this is inconceivable, but, um. It beggars belief.
Hm, so there must be another explanation. it does not seem reasonable to me that so many people run ipsec. Lets keep slicing. I have enough credits to download the entire list, but i'm a bit reluctant to spend them all, and then stare at that CSV file. What can we divine from the web page report? It suggests the most common OS running this is IOS 12.3/12.4. Hm. So maybe I am incorrect on the fixed versus mobile? Or maybe, and more likely, Rogers infrastructure is causing a response on port 500?
Its not the cablemodems, its the CPE (you can tell from the hostname/IP). But, maybe something is there not transparent?
Anyone have any input? Add a comment.