Hello Töma, if you (Qrator Labs) behave in the same way as cyber-criminals, than what is the difference between you two? What is the purpose of database with information about vulnerable sites on the Internet? And Qrator Labs is building and maintaining that database by this scanning. Who has access to this database? Does Qrator Labs notify operators of vulnerable networks about the problems they discovered? If I catch cyber-criminals during the network scanning or brute force attack, I can start some legal actions. And what can I do when I catch Cyber Security company, like Qrator Labs, doing the same thing? Best regards, *Nenad Krajnović, PhD E.E.* Founder & CTO *.........................................*** Serbian Open eXchange***/ *AS 13004 */*www.sox.rs <http://www.sox.rs> *.........................................*** Address: Todora Dukina 78, 11000 Belgrade, Serbia Mob: +381 6 777 33 777 */***mail: krajko@sox.rs <mailto:krajko@sox.rs>**** SOX logo On 22.4.2026 0:48, Töma Gavrichenkov wrote:
Peace,
On Wed, 22 Apr 2026, 1:31 am Nenad Krajnovic, <krajko@sox.rs> wrote:
First of all, Qrator Labs didn't get any authorization from SOX for scanning our network and it is legal from our side to threat that activity as malicious.
Well, it goes without saying that everyone's always free to categorize any incoming or outgoing activity related to their own network as they like! I think if you detect and block scanners which are trying to find amplifiers in your network, it's actually really good, because then these vulnerable machines won't be used in DDoS attacks.
The scans themselves don't cause any harm whatsoever. The purpose of the crawler is to identify and mark poorly maintained networks with lots of vulnerable software, because such networks might constitute a threat to others on the Internet. Of course, requesting a prior "authorisation" kind of defeats this purpose, because if a network is poorly maintained, then its administrators will rarely be able to comprehend what kind of authorisation is being requested.
Moreover, the actual cybercriminals won't request that permission, either, so they will always have the full coverage no matter what.
Second, it was not one ping. I found more than 20 attempts to access the router on UDP/161 port. It looks like brute force attack to me.
The scan runs over all the public IPv4 address space, and runs periodically, because new amplifiers are spawned here and there constantly, and old ones sometimes get shut down (albeit less often than everyone would like them to be!). So yes, it's logical that you'll see several traces of the scans, not one.
-- Töma
<#m_139082598936627748_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-- Avast antivirusni softver je proverio ovu e-poštu na viruse. www.avast.com
