If you want to identify which peering links are sending you spoofed DDoS amplification request traffic and which (Shadowserver identified) IPs in your network the traffic is going to, please take a look at my Tattle Tale project: https://github.com/racompton/tattle-tale Identify which peers are sending you the spoofed UDP amplification traffic and "encourage" them to follow BCP 38/84! The project has this file to identify legitimate scanning traffic: https://github.com/racompton/tattle-tale/blob/main/logstash/conf.d/81-filter... -Rich On 6/28/21, 1:29 PM, "NANOG on behalf of Jean St-Laurent via NANOG" <nanog-bounces+rich.compton=charter.com@nanog.org on behalf of nanog@nanog.org> wrote: CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. Great list. ShadowServer is there twice on page 7. They must be noisy 😉 Jean -----Original Message----- From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org> On Behalf Of Hank Nussbacher Sent: June 28, 2021 2:50 PM To: nanog@nanog.org Subject: Re: shadowserver.org > What is the difference between shodan.io and shadowserver.org ? Jean Just those 2? Greynoise maps them all. See an old preso from 2018: https://www.slideshare.net/andrewwantsyou/identifying-and-correlating-intern... See slide 7 for a 4 year old list which has only grown :-) -Hank E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.