On 6 Jul 2021, at 16:53, Tore Anderson <tore@fud.no> wrote:
I was just curious to hear if anyone else is seeing the same thing, and also whether or not people feel that this is an okay thing for this «Internet Measurement Research (SIXMA)» to do (assuming they are white-hats)?
Scanning is part of the ‘background radiation’ of the Internet, and it’s performed by various parties with varying motivations. Of necessity, IPv6 scanning is likely to be more targeted (were your able to discern any rhyme or reason behind the observed scanning patterns?). iACLs, tACLs, CoPP, selective QoS for various ICMPv6 types/codes, et. al. should be configured in such a manner that 600pps of anything can’t cause an adverse impact to any network functions. Because actual bad actors are unlikely to voluntarily stop, even when requested to do so. -------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com>