On Wed, Jul 06, 2022 at 09:33:30AM -0700, Randy Bush wrote:
interesting. thanks.
could the author(s) please amplify
We filter out “scan” traffic, and any other login or access attempts are considered “attacks”
why? what is the difference and how algorithmically do you differentiate?
I suspect there's some known white-hats, eg: shadowserver that use well identified scanners for purposes that are worthwhile and valuable, and those are easy to identify. Many researchers also put up pages that explain what they are doing, why and may even include opt-out options. I know I have problems with people who call scans attacks, as it's reasonable to do some research on the internet, but many of them come with interesting side-effects. There's some software suites that (for example) if you send it a valid SNMP query (with the community public) will then start to send you all their system data (telemetry/syslog) to that same IP in the future, or start to send you SNMP traps. This is a very interesting behavior IMHO and worth studying, but also can provoke PII discussions. There's also things like https://team-cymru.com/community-services/utrs/ which may be of interest, but one can worry just as much about how those decisions to be listed in that are made which can have broad impacts as well.
nice work.
yes, i'm always intersted in good work. thanks for sharing, the "background radiation" as i call it continues to have a baseline going up. i find the data super interesting over time and as new threats are known, you can watch the deployment of tools to detect them tick up as they report the "stop scanning us" goes up as it triggers their radar, which shows they were blind before they installed the tools... - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.