Hat: open.*project person.. With the complaints we get often the people aren't properly secured, they are just seeing the noise in their logs or they just started logging. We often get more complaints after the first six months as someone says "oh hey, we updated our IPS and now see the NTP traffic that we didn't see in 2000-2015, lets complain about it". It's good they have visibility now but most people don't get the true issue or impact, and don't even appreciate it when they are on the receiving end of a 100-250Gb/s attack from these services. Take a moment to read the Christian Rossow paper called "amplification Hell". While amplifiers are only a part of the equation, the trend of fixes is important to track so people understand the state of the fixes. Jared Mauch
On Jan 12, 2015, at 1:38 PM, Frank Bulk <frnkblk@iname.com> wrote:
In regards to ShadowServer, I don’t think they’re randomly scanning networks, and neither are folks like OpenResolver – I think it’s pretty systematic, albeit from perhaps only a certain point of view on the Internet. If their scans are being dropped and logged, that’s great – that means someone has measures in place to mitigate attacks that leverage those UDP protocols. But for those who use their output to better secure their own and clients’ endpoint devices, it’s much appreciated. If it’s really just a drop in the ocean, what does it matter to you?