
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<meta name="Generator" content="Microsoft Word 15 (filtered medium)">


<style><!--


/* Font Definitions */


@font-face


        {font-family:"Cambria Math";


        panose-1:2 4 5 3 5 4 6 3 2 4;}


@font-face


        {font-family:Aptos;}


/* Style Definitions */


p.MsoNormal, li.MsoNormal, div.MsoNormal


        {margin:0cm;


        font-size:12.0pt;


        font-family:"Aptos",sans-serif;}


a:link, span.MsoHyperlink


        {mso-style-priority:99;


        color:blue;


        text-decoration:underline;}


.MsoChpDefault


        {mso-style-type:export-only;


        font-size:10.0pt;


        mso-ligatures:none;}


@page WordSection1


        {size:612.0pt 792.0pt;


        margin:72.0pt 72.0pt 72.0pt 72.0pt;}


div.WordSection1


        {page:WordSection1;}


--></style><!--[if gte mso 9]><xml>


<o:shapedefaults v:ext="edit" spidmax="1026" />


</xml><![endif]--><!--[if gte mso 9]><xml>


<o:shapelayout v:ext="edit">


<o:idmap v:ext="edit" data="1" />


</o:shapelayout></xml><![endif]-->


</head>


<body lang="en-IL" link="blue" vlink="purple" style="word-wrap:break-word">


<div class="WordSection1">


<div>


<p class="MsoNormal" style="margin-bottom:12.0pt">-------- Forwarded Message --------<br>


Subject: [TLP:GREEN] Scanverkeer Recyber leidt tot DoS<br>


Date: Mon, 16 Jun 2025 12:46:00 +0000<br>


Reply-To: Info (NCSC-NL) <a href="mailto:info@ncsc.nl"><info@ncsc.nl></a><br>


To: Info (NCSC-NL) <a href="mailto:info@ncsc.nl"><info@ncsc.nl></a><br>


<br>


Hash: SHA512<br>


<br>


[TLP:GREEN]<br>


<br>


(<a href="https://first.org/tlp/">https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffirst.org%2Ftlp%2F&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950903008%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=nlqF7kEPDnjSyEn22RrSaWfozbhlGYIgfDlZgUzg3mQ%3D&reserved=0</a>


<a href="https://first.org/tlp/"><https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffirst.org%2Ftlp%2F&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950924909%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=gVbOVCMMHRu7EWcdrDxGZcYAq9%2BMDeeZtCsQZnW5My4%3D&reserved=0></a>)<br>


<br>


** ENGLISH VERSION BELOW **<br>


..<br>


/snipped Dutch part<br>


..<br>


<br>


** ENGLISH VERSION **<br>


<br>


Dear NCSC partner,<br>


<br>


The NCSC would like to inform you about disruptive network scanning<br>


<br>


activity performed by Recyber. These scanning activities caused a Denial of<br>


<br>


Service (DoS) impact at multiple organisations. Read the section "Course of<br>


<br>


action" below for more information about how you can mitigate disruptions<br>


<br>


on your network.<br>


<br>


=== Facts ===<br>


<br>


* In the past few weeks, the NCSC received multiple reports from<br>


<br>


(inter)national partners about disruptive network scanning behaviour<br>


<br>


originating from infrastructure of Recyber. The amount of network traffic<br>


<br>


caused a DoS impact at multiple organisations. This caused some systems or<br>


<br>


networks to be unresponsive for a short amount of time.<br>


<br>


* In all cases, the Transmission Control Protocol (TCP) was used to carry<br>


<br>


out port scans. These scans were performed in parallel by multiple IP<br>


<br>


addresses owned by Recyber. The scans targeted, among other things, common<br>


<br>


web application ports. Organisations reported a traffic volume that, at<br>


<br>


their peak, exceeded 3 million flows per second.<br>


<br>


* Recyber offers an opt-out to organisations that don't want their networks<br>


<br>


scanned. [1] However, multiple organisations indicated that Recyber does<br>


<br>


not honour these opt-outs.<br>


<br>


* The NCSC is not aware of Dutch organisations that use Recyber's services.<br>


<br>


* The NCSC requested Recyber to reduce the amount of network scanning<br>


<br>


traffic that they send to networks. As of yet, Recyber has not replied to<br>


<br>


this request.<br>


<br>


* The NCSC also asked Recyber's hosting provider to intervene. The hosting<br>


<br>


provider has not yet took appropriate action based on this request.<br>


<br>


* Given the persistent scanning behaviour of Recyber, the NCSC published<br>


<br>


this e-mail to inform its partners.<br>


<br>


=== Interpretation ===<br>


<br>


* Various service providers perform network scans for legitimate purposes.<br>


<br>


The results can then be used by organisation to, for example, map their<br>


<br>


attack surface or as part of vulnerability management. Similarly, security<br>


<br>


researchers and CERTs can use scan results to identify vulnerable systems<br>


<br>


and to notify their respective owners.<br>


<br>


* Although network scanning on itself is not illegal or disruptive,<br>


<br>


excessive scanning might be. When performing excessive scans, systems might<br>


<br>


get overloaded, as is sometimes the cases for scans carried out by Recyber.<br>


<br>


=== Course of action ===<br>


<br>


* On network edges, block all traffic originating from Recyber's IP<br>


<br>


addresses. A list of Recyber related IP addresses is provided in the<br>


<br>


attachment of this e-mail.<br>


<br>


* Configure rate limiting for incoming network traffic. This limits the<br>


<br>


impact of excessive network scanning on underlying systems.<br>


<br>


* More information about protecting your systems against DoS attacks is<br>


<br>


available on our website (in Dutch). [2]<br>


<br>


<br>


[1] https[://]www[.]recyber[.]net<br>


<br>


[2] <a href="https://www.ncsc.nl/wat-kun-je-zelf-doen/dreiging/ddos">https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ncsc.nl%2Fwat-kun-je-zelf-doen%2Fdreiging%2Fddos&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950938334%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FePisSCx9EEYwNKkaRr0c2UJp%2BMwusYiT7IK6OfZRmA%3D&reserved=0</a>


<a href="https://www.ncsc.nl/wat-kun-je-zelf-doen/dreiging/ddos"><https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ncsc.nl%2Fwat-kun-je-zelf-doen%2Fdreiging%2Fddos&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950950859%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=TDd8IzOlF6bn%2BB2stxXFnwcnD8RshKSx%2BgnwLV5R4OU%3D&reserved=0></a><br>


<br>


[/TLP:GREEN]<br>


<br>


<br>


<o:p></o:p></p>


</div>


</div>


</body>


</html>