You’ve probably reached this page through one of the breadcrumbs we leave when scanning your organization. The internet cleanup foundation monitors the basic state of security on the internet for the greater good.
Our scans target organizations that are vital and/or have a public function in the Netherlands. This includes the government, education, healthcare, political parties and critical infrastructure.
The Internet Cleanup Foundation is a non-profit located in the Netherlands. Registration numbers can be found on the ‘about us‘ page.
Our ethical framework
The following documents (in Dutch) lay out our ethical framework. They contain the considerations and boundaries of our scans.
- Code of Conduct
- Measuring Policy (and exceptions)
- Publication Policy
- Domain Policy
- Disclaimer
- Statutes of the foundation
Part of Dutch national government policy
The project “basisbeveiliging.nl” from the internet cleanup foundation is part of Dutch national government policy. You can find references here:
- NCTV: Actieplan Nederlandse Cybersecuritystrategie 2022-2028, Links: NCSC, Rijksoverheid, NCTV.
- MinBZK: Werkagenda Waardengedregen Digitaliseren. Links: Rijksoverheid.
The cookie metrics are performed in colaboration with the Ministry of the Interior and Kingdom Relations (MinBZK).
Dutch government domains that block our scans will be contacted to unblock us, this information is also shared with the ministry.
Where do our scans come from?
We can from the following hosts and ip-addresses:
| Hostname / Purpose | IPv4 | IPv6 | Provider | Country | AS |
|---|---|---|---|---|---|
| basisbeveiliging.nl Web application, scanhost for Dutch domains | 185.71.61.127 | 2a03:38a0:61:127::1 | CoBytes | NL | 60781 |
| raspberrypi01.basisbeveiliging.nl Scanhost for Dutch domains | 145.220.76.240 | 2001:67c:6ec:2076:145:220:76:240 | SURF | NL | 1101 |
| basisbeveiliging.be Web application, scanhost for Belgian domains | 185.71.61.126 | 2a03:38a0:61:126::1 | CoBytes | NL | 60781 |
| demo.internetcleanup.foundation Scanhost for test purposes | 185.71.61.129 | 2a03:38a0:61:129::1 | CoBytes | NL | 60781 |
| plus.basisbeveiliging.nl Full scope tests are performed exclusively with a signed contract. The performer of the test is responsible for announcing this test to the owners of system under test. Please contact us in case of abuse. | 37.97.145.112 | 2a01:7c8:aabd:148::1 | TransIP | NL | 20857 |
How to recognize our scans?
Most of our scans can be recognized with a special user agent in HTTP requests. It will contain the following. Not all scans allow for sending a user agent or origin. A reverse ip
(compatible; ICF-Basisbeveiliging/1.0; +https://internetcleanup.foundation/scaninfo)Do these scan trigger firewalls and security processes?
All scans perform only gather information that is safe to publish publicly. Yet it might be possibly that, depending on your monitoring or web-application-firewall, a scan is registered as an intrusion attempt.
There are two scans in particular that are sometimes reported via the abuse procedure.
The first reported scan type is the version-detection script from nmap. This script sends some data to figure out the version of the running software on your server. It does so with very high accuracy in a few requests. Your firewall might log this as “nmap bannergrab” or something similar. In the ideal situation an nmap bannergrab would just not determine or trigger anything as there is nothing to find.
The second reported scan type is the login portal detection. This performs a series of ±500 requests to well known paths of login portals in a timespan of about 20 minutes. These requests check that certain paths exist and return a specific piece of text. Very strict logging of 404/not found requests or alerting on these requests will require some action. For example allowing our user agent, ip-addresses or reconfiguring the triggers that occur on 404 requests.
Can i opt out of scanning?
If your organization is an important organization to society, which falls in one of the target audiences, the answer is most likely no. In other cases the scans should not occur. So for example: if your organization has received ownership of a domain name from an important organization, it might be that we still scan that old domain name. In that case please request a removal via the contact details below.
Contact
You can reach us via discord or via e-mail on info at internetcleanup dot foundation.