could the author(s) please amplify We filter out “scan” traffic, and any other login or access attempts are considered “attacks” why? what is the difference and how algorithmically do you differentiate?
I suspect there's some known white-hats, eg: shadowserver that use well identified scanners for purposes that are worthwhile and valuable, and those are easy to identify.
i have suggested a number of times that we coordinate registries of research experiments which could cause anomalies or other bumps in the graph of measurements. e.g. RIS and RV seem obvious data sources with anomalies caused by known experiments. [ an example which does not point fingers at others is the month in 2008 where AS3130 had a BGP topological out-degree of the entire AS set ] a gang of us ran, and are still running, an experiment which is creating a disturbance in the RPKI/ROA force. how do we warn other researchers (and ops) ex post facto? i think it was vern who had a nice paper on the kinds of meta-data we should keep.
Many researchers also put up pages that explain what they are doing, why and may even include opt-out options.
yep. good. but somewhat orthogonal. note that, if one is borrowing RIR resources for an experiment, the RIR(s) ask the researcher(s) to explicitly do this. randy