Peace, In the today's presentation "How to try to catch the hackers?", slide 13, a question was asked: what are the security companies doing by sending UDP probes? I worked at Qrator Labs before, and I know the team behind this probing. If you want to know more, there's an article on the website: https://radar.qrator.net/learn/2?article=23 I don't know what Palo Alto is doing, but maybe similar things? Hope that helps. -- Töma
Hello Töma, thank you for your e-mail. I read the article carefully and I have 2 comments. First of all, Qrator Labs didn't get any authorization from SOX for scanning our network and it is legal from our side to threat that activity as malicious. Second, it was not one ping. I found more than 20 attempts to access the router on UDP/161 port. It looks like brute force attack to me. Under this circumstances, I do not see any excuse for them. Best regards, *Nenad Krajnović, PhD E.E.* Founder & CTO *.........................................*** Serbian Open eXchange***/ *AS 13004 */*www.sox.rs <http://www.sox.rs> *.........................................*** Address: Todora Dukina 78, 11000 Belgrade, Serbia Mob: +381 6 777 33 777 */***mail: krajko@sox.rs <mailto:krajko@sox.rs>**** SOX logo On 21.4.2026 19:59, Töma Gavrichenkov wrote:
Peace,
In the today's presentation "How to try to catch the hackers?", slide 13, a question was asked: what are the security companies doing by sending UDP probes?
I worked at Qrator Labs before, and I know the team behind this probing. If you want to know more, there's an article on the website: https://radar.qrator.net/learn/2?article=23
I don't know what Palo Alto is doing, but maybe similar things?
Hope that helps.
-- Töma
-- Avast antivirusni softver je proverio ovu e-poštu na viruse. www.avast.com
Peace, On Wed, 22 Apr 2026, 1:31 am Nenad Krajnovic, <krajko@sox.rs> wrote:
First of all, Qrator Labs didn't get any authorization from SOX for scanning our network and it is legal from our side to threat that activity as malicious.
Well, it goes without saying that everyone's always free to categorize any incoming or outgoing activity related to their own network as they like! I think if you detect and block scanners which are trying to find amplifiers in your network, it's actually really good, because then these vulnerable machines won't be used in DDoS attacks. The scans themselves don't cause any harm whatsoever. The purpose of the crawler is to identify and mark poorly maintained networks with lots of vulnerable software, because such networks might constitute a threat to others on the Internet. Of course, requesting a prior "authorisation" kind of defeats this purpose, because if a network is poorly maintained, then its administrators will rarely be able to comprehend what kind of authorisation is being requested. Moreover, the actual cybercriminals won't request that permission, either, so they will always have the full coverage no matter what.
Second, it was not one ping. I found more than 20 attempts to access the router on UDP/161 port. It looks like brute force attack to me.
The scan runs over all the public IPv4 address space, and runs periodically, because new amplifiers are spawned here and there constantly, and old ones sometimes get shut down (albeit less often than everyone would like them to be!). So yes, it's logical that you'll see several traces of the scans, not one. -- Töma
<#m_139082598936627748_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Hello Töma, if you (Qrator Labs) behave in the same way as cyber-criminals, than what is the difference between you two? What is the purpose of database with information about vulnerable sites on the Internet? And Qrator Labs is building and maintaining that database by this scanning. Who has access to this database? Does Qrator Labs notify operators of vulnerable networks about the problems they discovered? If I catch cyber-criminals during the network scanning or brute force attack, I can start some legal actions. And what can I do when I catch Cyber Security company, like Qrator Labs, doing the same thing? Best regards, *Nenad Krajnović, PhD E.E.* Founder & CTO *.........................................*** Serbian Open eXchange***/ *AS 13004 */*www.sox.rs <http://www.sox.rs> *.........................................*** Address: Todora Dukina 78, 11000 Belgrade, Serbia Mob: +381 6 777 33 777 */***mail: krajko@sox.rs <mailto:krajko@sox.rs>**** SOX logo On 22.4.2026 0:48, Töma Gavrichenkov wrote:
Peace,
On Wed, 22 Apr 2026, 1:31 am Nenad Krajnovic, <krajko@sox.rs> wrote:
First of all, Qrator Labs didn't get any authorization from SOX for scanning our network and it is legal from our side to threat that activity as malicious.
Well, it goes without saying that everyone's always free to categorize any incoming or outgoing activity related to their own network as they like! I think if you detect and block scanners which are trying to find amplifiers in your network, it's actually really good, because then these vulnerable machines won't be used in DDoS attacks.
The scans themselves don't cause any harm whatsoever. The purpose of the crawler is to identify and mark poorly maintained networks with lots of vulnerable software, because such networks might constitute a threat to others on the Internet. Of course, requesting a prior "authorisation" kind of defeats this purpose, because if a network is poorly maintained, then its administrators will rarely be able to comprehend what kind of authorisation is being requested.
Moreover, the actual cybercriminals won't request that permission, either, so they will always have the full coverage no matter what.
Second, it was not one ping. I found more than 20 attempts to access the router on UDP/161 port. It looks like brute force attack to me.
The scan runs over all the public IPv4 address space, and runs periodically, because new amplifiers are spawned here and there constantly, and old ones sometimes get shut down (albeit less often than everyone would like them to be!). So yes, it's logical that you'll see several traces of the scans, not one.
-- Töma
<#m_139082598936627748_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-- Avast antivirusni softver je proverio ovu e-poštu na viruse. www.avast.com
Peace, On Wed, 22 Apr 2026, 2:23 am Nenad Krajnovic, <krajko@sox.rs> wrote:
if you (Qrator Labs) behave in the same way as cyber-criminals, than what is the difference between you two?
It's not the same way. What makes cybercriminals cybercriminals is that they conduct cyberattacks. A harmless network scan is not a cyberattack. It is frequently *associated* with cyberattacks because cybercriminals, too, often use network scans as the preparatory phase. However, not all scans have a malicious purpose. What is the purpose of database with information about vulnerable sites on
the Internet? And Qrator Labs is building and maintaining that database by this scanning. Who has access to this database? Does Qrator Labs notify operators of vulnerable networks about the problems they discovered?
Yes, of course! You can sign up for an account on the website https://radar.qrator.net and, after proper authorisation of you as the maintainer of the autonomous system, you can view all the information about your AS and your networks, including this particular one, for free. This *is* among the main purposes of the said database. If I catch cyber-criminals during the network scanning or brute force
attack, I can start some legal actions.
Well, first, taking legal actions against the cybercriminals scanning networks is, to put it lightly, impractical. It's not like these criminals register their scanning IPs to their passports or IDs. The actual malicious scanners will typically operate from some breached servers, or counter-abuse-resistant hosting companies, or from equipment rented with fake IDs, or all the three combined. Trying to take some legal action against that will require a lot of time and effort, and in the end the scanner will just migrate to another server in a few hours. Moreover, with the scanning *per se*, I don't really think there's legal basis for that. On the Internet, the communication is "regulated" by the IETF RFCs, and per the RFCs, once you advertise your networks in the DFZ, you allow other DFZ users to reach your network. There's no RFC about requesting any kind of prior authorisation from an AS before establishing a TCP session or something. And network scans themselves do not cause any damage. Brute force might be a different story, but it's sort of off topic because the scanner in question doesn't do brute force. If you record a tcpdump of that activity, you could see it yourself that all the packets sent to these ports are identical, there's no attempt to brute force passwords or whatever else. -- Töma
<#m_1840596981435881067_m_139082598936627748_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
how can i easily find the results of scans of my networks? randy
Peace, On Wed, 22 Apr 2026, 3:31 am Randy Bush, <randy@psg.com> wrote:
how can i easily find the results of scans of my networks?
1. Register on the website: https://radar.qrator.net 2. Confirm ownership of the AS. This is a mandatory step. The information available (route leaks, hijacks, amplifiers) shall only be available to the owner or a maintainer of the AS. Of course, that information is openly collected from the public sources, so it's not, like, classified, and malicious actors can potentially also collect such data by themselves (and it's all but confirmed that many of them do) but I believe you'd understand that no one would be willing to make their job any easier. 3. This is it, the data is now available to you on the website. -- Töma
participants (3)
-
Nenad Krajnovic -
Randy Bush -
Töma Gavrichenkov