[mat-wg] New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic

On Wed, Jul 06, 2022 at 09:33:30AM -0700, Randy Bush wrote:
> interesting.  thanks.
> 
> could the author(s) please amplify
> 
>     We filter out “scan” traffic, and any other login or access
>     attempts are considered “attacks”
> 
> why?  what is the difference and how algorithmically do you
> differentiate?

	I suspect there's some known white-hats, eg: shadowserver that
use well identified scanners for purposes that are worthwhile and
valuable, and those are easy to identify.  Many researchers also put up
pages that explain what they are doing, why and may even include opt-out
options.

	I know I have problems with people who call scans attacks, as
it's reasonable to do some research on the internet, but many of them
come with interesting side-effects.  There's some software suites that
(for example) if you send it a valid SNMP query (with the community
public) will then start to send you all their system data
(telemetry/syslog) to that same IP in the future, or start to send you
SNMP traps.  This is a very interesting behavior IMHO and worth
studying, but also can provoke PII discussions.

	There's also things like
https://team-cymru.com/community-services/utrs/ which may be of
interest, but one can worry just as much about how those decisions to be
listed in that are made which can have broad impacts as well.

> https://xkcd.com/833/
> 
> nice work.

	yes, i'm always intersted in good work.  thanks for sharing,
the "background radiation" as i call it continues to have a baseline
going up.

	i find the data super interesting over time and as new threats
are known, you can watch the deployment of tools to detect them tick up
as they report the "stop scanning us" goes up as it triggers their
radar, which shows they were blind before they installed the tools...

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.