New on RIPE Labs: Dealing with the Undercurrent of Unwanted Traffic
Dear colleagues, Leslie Daigle and her colleagues over at the Global Cyber Alliance have been collecting data from hundreds of sensors to get a clearer picture of how much unwanted traffic there is out there. How much counts as too much? Read more on RIPE Labs: https://labs.ripe.net/author/leslie-daigle/dealing-with-the-undercurrent-of-... Best regards, Alun Davies RIPE Labs Editor RIPE NCC
interesting. thanks. could the author(s) please amplify We filter out “scan” traffic, and any other login or access attempts are considered “attacks” why? what is the difference and how algorithmically do you differentiate? https://xkcd.com/833/ nice work. randy
On Wed, Jul 06, 2022 at 09:33:30AM -0700, Randy Bush wrote:
interesting. thanks.
could the author(s) please amplify
We filter out “scan” traffic, and any other login or access attempts are considered “attacks”
why? what is the difference and how algorithmically do you differentiate?
I suspect there's some known white-hats, eg: shadowserver that use well identified scanners for purposes that are worthwhile and valuable, and those are easy to identify. Many researchers also put up pages that explain what they are doing, why and may even include opt-out options. I know I have problems with people who call scans attacks, as it's reasonable to do some research on the internet, but many of them come with interesting side-effects. There's some software suites that (for example) if you send it a valid SNMP query (with the community public) will then start to send you all their system data (telemetry/syslog) to that same IP in the future, or start to send you SNMP traps. This is a very interesting behavior IMHO and worth studying, but also can provoke PII discussions. There's also things like https://team-cymru.com/community-services/utrs/ which may be of interest, but one can worry just as much about how those decisions to be listed in that are made which can have broad impacts as well.
nice work.
yes, i'm always intersted in good work. thanks for sharing, the "background radiation" as i call it continues to have a baseline going up. i find the data super interesting over time and as new threats are known, you can watch the deployment of tools to detect them tick up as they report the "stop scanning us" goes up as it triggers their radar, which shows they were blind before they installed the tools... - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
could the author(s) please amplify We filter out “scan” traffic, and any other login or access attempts are considered “attacks” why? what is the difference and how algorithmically do you differentiate?
I suspect there's some known white-hats, eg: shadowserver that use well identified scanners for purposes that are worthwhile and valuable, and those are easy to identify.
i have suggested a number of times that we coordinate registries of research experiments which could cause anomalies or other bumps in the graph of measurements. e.g. RIS and RV seem obvious data sources with anomalies caused by known experiments. [ an example which does not point fingers at others is the month in 2008 where AS3130 had a BGP topological out-degree of the entire AS set ] a gang of us ran, and are still running, an experiment which is creating a disturbance in the RPKI/ROA force. how do we warn other researchers (and ops) ex post facto? i think it was vern who had a nice paper on the kinds of meta-data we should keep.
Many researchers also put up pages that explain what they are doing, why and may even include opt-out options.
yep. good. but somewhat orthogonal. note that, if one is borrowing RIR resources for an experiment, the RIR(s) ask the researcher(s) to explicitly do this. randy
participants (3)
-
Alun Davies -
Jared Mauch -
Randy Bush