Sonic.net

Any advice/help identifying this one?

First thing I saw this morning was a popup from the LittleSnitch security tool.
I rejected the connection, after trying to identify it, just a brief 'oogle that found nothing helpful
________
cupsd wants to accept an incoming connection on TCP port 631 (ipp)
71.6.135.131
census7.shodan.io
Connecting to /usr/sbin/cupsd
Process ID 263
User root (UID: 0)
_________

https://www.shodan.io/

Shodan runs internet-wide port scans. Do you not have your computer behind a firewall or router?

> a firewall or router
both (Apple products).
No scan from shodan in the past got far enough in to be alerted/blocked by LittleSnitch.
I'll poke at the settings for the router and firewall.
Local printer sharing -- home network -- was allowed.
Outside requests shouldn't have been.

Hm. Speedguide found no open ports but mentions something ancient that was fixed years ago.
http://www.speedguide.net/port.php?port=631

631/tcp filtered ipp Mac OS X Printer Sharing
Unknown vulnerability in the Internet Printing Protocol (IPP) implementation in CUPS before 1.1.19 allows remote attackers to cause a denial of service (CPU consumption from a "busy loop") via certain inputs to the IPP port (TCP 631).
References: [CVE-2003-0788] [BID-8952] [SECUNIA-10123] view all known port assignments

I just got one of these probes on TCP port 631 from the same host. This isn’t the first time I’ve gotten weird incoming traffic from that domain/IP space. Can’t find anything about them other than their internal press-release type info. I’ve got my Airport Extreme pointing traffic to my laptop as the default host, so any outside attempts show up on there. Not sure why census.shodan.io was trying to see if it could print something on my network—but just so you know, you’re not the only person this is happening to.

...Though looking at their website, it seems that probing random strangers' ports like a bunch of assholes is totally in line with their business model:

http://robshort.org/files/shodan.io.jpg