|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SNMP probers
> Randy, > > >What do folk do about persistent SNMP probers? I.e. j random clueless sites > >which keep querying one's backbone router(s). E.g. this morning I get the > >NOC shift change report with the folk hammering on our routers as if we were > >stupid enough to use 'public' as the community string. > > The problem isn't so much stupid people as stupid default settings on some > network tools. A lot of software exists for the "enterprise" network > market. Apparently, the designers of this software don't realize that most > enterprise IP networks touch the larger, fully connected Internet. The > default settings on half a dozen products I've personally used default to > trying to discover the entire Internet on startup. > > I learned this the hard way a few years back. Every night before going > home, I'd re-boot a network monitoring station, which would crash during the > night. The station was crashing somewhere in the middle of the discovery of > net 18. After the third or fourth attempt at discovering net 18, I got a > phone call from MIT, and realized why my network monitoring station was > crashing. (whoops) > > Things got really interesting when I called up the manufacturer. I asked > them to please help me stop this software discovery process. Took me half > an hour of explaining to convince them that discovering the entire Internet > wasn't in the best interest of their customers. Took a new version to > really stop this "feature". > > >So every day some poor NOC person has to search these folk down with the > >great tools we have, send email, get told they're nazi idiots, ... > > > >So what do folk do about this? > > Educate, then assassinate. > > > Seriously, I think some education is needed for the proliferating > manufacturers of lower end IP management tools. All of a sudden, there are > a lot of IP monitoring products out there. Most all of our customers are > running some sort of tool to check the status of their LAN workstations, > etc. We've been having to educate almost every new customer lately. > > Maybe denying some TCP socket at the border router level would stop a lot of > this? > > Regards, > > Bill I wouldn't really blame this on the NMS vendors as much as the lack of standardized topology information in standard MIBs. The NMS products use the brute-force method for a reason... there's little else available (there's nothing available in many products; MIB-II is (unfortunately) often the only thing you can really count on across products. Its sort of like a discussion here a few months ago about how useless traceroute can be (though I really would not like to open up that discussion here again). I do agree that you can throttle it so it doesn't run amok, and users shouldn't need to run it often (unless their own network's topology is changing a lot). Daniel ~~~~~~ - - - - - - - - - - - - - - - - -
|