North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SNMP probers

  • From: Daniel McRobb
  • Date: Wed Apr 09 17:12:14 1997
  • Company: ANS
  • Location: ANS Network Services, Ann Arbor, MI
  • Position: Staff Engineer

> Randy,
> >What do folk do about persistent SNMP probers?  I.e. j random clueless sites
> >which keep querying one's backbone router(s).  E.g. this morning I get the
> >NOC shift change report with the folk hammering on our routers as if we were
> >stupid enough to use 'public' as the community string.
> The problem isn't so much stupid people as stupid default settings on some
> network tools.  A lot of software exists for the "enterprise" network
> market.  Apparently, the designers of this software don't realize that most
> enterprise IP networks touch the larger, fully connected Internet.  The
> default settings on half a dozen products I've personally used default to
> trying to discover the entire Internet on startup.  
> I learned this the hard way a few years back.  Every night before going
> home, I'd re-boot a network monitoring station, which would crash during the
> night.  The station was crashing somewhere in the middle of the discovery of
> net 18.  After the third or fourth attempt at discovering net 18, I got a
> phone call from MIT, and realized why my network monitoring station was
> crashing.  (whoops)
> Things got really interesting when I called up the manufacturer.  I asked
> them to please help me stop this software discovery process.  Took me half
> an hour of explaining to convince them that discovering the entire Internet
> wasn't in the best interest of their customers.  Took a new version to
> really stop this "feature".  
> >So every day some poor NOC person has to search these folk down with the
> >great tools we have, send email, get told they're nazi idiots, ...
> >
> >So what do folk do about this?
> Educate, then assassinate.
> Seriously, I think some education is needed for the proliferating
> manufacturers of lower end IP management tools.  All of a sudden, there are
> a lot of IP monitoring products out there.  Most all of our customers are
> running some sort of tool to check the status of their LAN workstations,
> etc.  We've been having to educate almost every new customer lately.
> Maybe denying some TCP socket at the border router level would stop a lot of
> this?
> Regards,
> Bill

I wouldn't really blame this on the NMS vendors as much as the lack of
standardized topology information in standard MIBs.  The NMS products
use the brute-force method for a reason... there's little else available
(there's nothing available in many products; MIB-II is (unfortunately)
often the only thing you can really count on across products.  Its sort
of like a discussion here a few months ago about how useless traceroute
can be (though I really would not like to open up that discussion here

I do agree that you can throttle it so it doesn't run amok, and users
shouldn't need to run it often (unless their own network's topology is
changing a lot).


- - - - - - - - - - - - - - - - -