This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/mat-wg@ripe.net/
[mat-wg] New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic
- Previous message (by thread): [mat-wg] New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic
- Next message (by thread): [mat-wg] New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jared Mauch
jared at puck.nether.net
Wed Jul 6 19:27:55 CEST 2022
On Wed, Jul 06, 2022 at 09:33:30AM -0700, Randy Bush wrote: > interesting. thanks. > > could the author(s) please amplify > > We filter out “scan” traffic, and any other login or access > attempts are considered “attacks” > > why? what is the difference and how algorithmically do you > differentiate? I suspect there's some known white-hats, eg: shadowserver that use well identified scanners for purposes that are worthwhile and valuable, and those are easy to identify. Many researchers also put up pages that explain what they are doing, why and may even include opt-out options. I know I have problems with people who call scans attacks, as it's reasonable to do some research on the internet, but many of them come with interesting side-effects. There's some software suites that (for example) if you send it a valid SNMP query (with the community public) will then start to send you all their system data (telemetry/syslog) to that same IP in the future, or start to send you SNMP traps. This is a very interesting behavior IMHO and worth studying, but also can provoke PII discussions. There's also things like https://team-cymru.com/community-services/utrs/ which may be of interest, but one can worry just as much about how those decisions to be listed in that are made which can have broad impacts as well. > https://xkcd.com/833/ > > nice work. yes, i'm always intersted in good work. thanks for sharing, the "background radiation" as i call it continues to have a baseline going up. i find the data super interesting over time and as new threats are known, you can watch the deployment of tools to detect them tick up as they report the "stop scanning us" goes up as it triggers their radar, which shows they were blind before they installed the tools... - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
- Previous message (by thread): [mat-wg] New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic
- Next message (by thread): [mat-wg] New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ mat-wg Archives ]