Randy,
What do folk do about persistent SNMP probers? I.e. j random clueless sites which keep querying one's backbone router(s). E.g. this morning I get the NOC shift change report with the folk hammering on our routers as if we were stupid enough to use 'public' as the community string.
The problem isn't so much stupid people as stupid default settings on some network tools. A lot of software exists for the "enterprise" network market. Apparently, the designers of this software don't realize that most enterprise IP networks touch the larger, fully connected Internet. The default settings on half a dozen products I've personally used default to trying to discover the entire Internet on startup.
I learned this the hard way a few years back. Every night before going home, I'd re-boot a network monitoring station, which would crash during the night. The station was crashing somewhere in the middle of the discovery of net 18. After the third or fourth attempt at discovering net 18, I got a phone call from MIT, and realized why my network monitoring station was crashing. (whoops)
Things got really interesting when I called up the manufacturer. I asked them to please help me stop this software discovery process. Took me half an hour of explaining to convince them that discovering the entire Internet wasn't in the best interest of their customers. Took a new version to really stop this "feature".
So every day some poor NOC person has to search these folk down with the great tools we have, send email, get told they're nazi idiots, ...
So what do folk do about this?
Educate, then assassinate.
Seriously, I think some education is needed for the proliferating manufacturers of lower end IP management tools. All of a sudden, there are a lot of IP monitoring products out there. Most all of our customers are running some sort of tool to check the status of their LAN workstations, etc. We've been having to educate almost every new customer lately.
Maybe denying some TCP socket at the border router level would stop a lot of this?
Regards,
Bill
I wouldn't really blame this on the NMS vendors as much as the lack of standardized topology information in standard MIBs. The NMS products use the brute-force method for a reason... there's little else available (there's nothing available in many products; MIB-II is (unfortunately) often the only thing you can really count on across products. Its sort of like a discussion here a few months ago about how useless traceroute can be (though I really would not like to open up that discussion here again). I do agree that you can throttle it so it doesn't run amok, and users shouldn't need to run it often (unless their own network's topology is changing a lot). Daniel ~~~~~~