[mat-wg] New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic

>> could the author(s) please amplify
>>     We filter out “scan” traffic, and any other login or access
>>     attempts are considered “attacks”
>> why?  what is the difference and how algorithmically do you
>> differentiate?
> 
> I suspect there's some known white-hats, eg: shadowserver that use
> well identified scanners for purposes that are worthwhile and
> valuable, and those are easy to identify.

i have suggested a number of times that we coordinate registries of
research experiments which could cause anomalies or other bumps in the
graph of measurements.  e.g. RIS and RV seem obvious data sources with
anomalies caused by known experiments.  [ an example which does not
point fingers at others is the month in 2008 where AS3130 had a BGP
topological out-degree of the entire AS set ]

a gang of us ran, and are still running, an experiment which is creating
a disturbance in the RPKI/ROA force.  how do we warn other researchers
(and ops) ex post facto?

i think it was vern who had a nice paper on the kinds of meta-data we
should keep.

> Many researchers also put up pages that explain what they are doing,
> why and may even include opt-out options.

yep.  good.  but somewhat orthogonal.  note that, if one is borrowing
RIR resources for an experiment, the RIR(s) ask the researcher(s) to
explicitly do this.

randy