North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Research - Valid Data Gathering vs. Annoying Other
> John K. Lerchey wrote: > The problem is that many of their "random targets" consider > the probes to be either malicious in nature, or outright > attacks. As a result of this, we, of course, get complaints. [me puts the politician/opportunist suit on. It's election year, after all]. The one thing I would suggest, if you get complaints, talk to the dude that wrote the "testing" thing to make it look like an attack than it currently appears. Vote for me. [/suit off] That being said, you might want to read again an excellent post from Steve Atkins earlier :-) OMG, someone from China just tried to telnet to my router. I'm calling the FBI, the CIA and the NSA right away. The vty password is "san-fran" not "cisco", bozo. > One suggestion that I received fro a co-worker to help to > mitigate this is to have the researchers run the experiments > off of a www host, and to have the default page explain the > experiment and also provide contact info. Good idea, but largely useless as described, IMHO. I would suggest a better way, have the reverse lookup (PTR) of the testing IP address resolve to something like "see-www-dot-cmu-dot-edu-slash-testing" and have the explaining web page there; this might help with GWF[1] > We also discussed having the researchers contact ISPs and other > large providers to see if they can get permission to use addresses > in their space as targets, and then providing the ISPs with info > from the testing. The answer is no. > How do you view the issue of experiments that probe random > sites? Should this be accepted as "reasonable", or should > it be disallowed? Something in between? Irrelevant. Each operator and network admin will have a different opinion about it, and we all filter traffic the way we see fit. You will not get anything remotely close to a consensus here. [1] GWF > Steve Atkins wrote: > [GWF] Goober With Firewall. Originally from internal jargon > at [email protected] - a complaint, for example, that > "ns1.above.net is hackoring my port 53!" would be, and > should still be, closed with the sole annotation being "GWF". Alternate acronym meaning: Goon With Firewall. GWFes are mostly a by-product of IDS sales droids: first, they find one of these goober execs to attend a demo, then they crank up their gizmo that will find "high risk" alarms out of the ordinary network noise, then the exec hires a cheaper banana^H^H^H^H^H peanut eater aka GWS that does not know jack and has nothing to do but investigate the IDS alarms. The only thing that worries me about the recommendation I am about to make is that it is the same that we collectively used to think was the appropriate answer to spam (a long time ago): the delete key is your friend. Michel. |