LS
Every IP scan or domain scan or AS scan for that matter should be examined separately to know what is going on from there.
Sometimes this means benign security scans, sometimes probing with malicious intent, sometimes simple outright malware
to send out spamraids with, scam & malware (Mirai).
Let us just take a random example IP which is doing port scanning for port 5555, a scanning that comes from
IP address 112.119.218.130 in HongKong, apparently performed by netvigator (game shield) dot com domain.
VirusTotal shows 1 engine to detect, detecting spam, here we have it:
https://www.virustotal.com/gui/ip-address/112.119.218.130/detectionGreyNoise cannot help us much in these respects, just alerts the scans being performed:
https://viz.greynoise.io/query/?gnql=metadata.rdns%3An112119218130.netvigator.comShodan is not quite clear on what it is:
https://www.shodan.io/host/112.119.218.130/raw Again here we stumble on quite some interesting underlying data:
https://intelx.io/?s=netvigator.comData, coming from this awful Intelligence scanner made by the firm of the renowned Peter Kleissner,
hacker/researcher/ sinkhole expert from Vienna (now Prague).
I was so happy to get some online outbuilding on automated sinkholing from him during 2017.
Summa summarum every IP address and/or domain/AS should be considered separately to what this scanning means.
I do this just through 3rd party cold recon security scanning.
In this case the buzzword apparently is "gamer SPAM".
But it could also be something quite innocent like benign bot-scans or security scantool action.
Moreover at netvigator dot com JSONP script I found flaws in the settings of their CSP implementation,
just to mention this on the by and by. (Info credits go to: luntrus)
polonus