Pardon for the ignorance regarding this. If folks can point me to something I may have missed as a participant for over 14 years, to powering this Alzheimers. I received several reports today regarding some scans for udp items from shadowservers hosted out of H.E. Seems to claim to be checking for issues regarding udp issues, amp issues, which I am all fine for, but my issue is this. It trips several IDP/IPS traps pretty much causing issues that I have to resolve. I have one user that is a home user (outside one of my /16) that has seen this as well. Now with that said are these folks that do this going to pay for one of my users that pay per bit for this? Does garbage in to this really provide a garbage clean? I see they are planing on a bunch of other protocols too, so that's nice. I'm not sure where to go with this other than to advise my other folks to drop this traffic from their 184.105.139.64/26 networks and hope for the best regarding my FAP folks. Regards, -Joe
On Mar 31, 2014, at 10:51 PM, Joe <jbfixurpc@gmail.com> wrote:
Pardon for the ignorance regarding this. If folks can point me to something I may have missed as a participant for over 14 years, to powering this Alzheimers.
I received several reports today regarding some scans for udp items from shadowservers hosted out of H.E. Seems to claim to be checking for issues regarding udp issues, amp issues, which I am all fine for, but my issue is this. It trips several IDP/IPS traps pretty much causing issues that I have to resolve. I have one user that is a home user (outside one of my /16) that has seen this as well. Now with that said are these folks that do this going to pay for one of my users that pay per bit for this? Does garbage in to this really provide a garbage clean? I see they are planing on a bunch of other protocols too, so that's nice.
I'm not sure where to go with this other than to advise my other folks to drop this traffic from their 184.105.139.64/26 networks and hope for the best regarding my FAP folks.
There are lots of people who think they need to monitor and respond to every packet that they didn't "expect". Sadly we are in a state of the world where these surveys have become necessary both as part of people getting their PHD, but also to provide operational data to network "first responders" in closing down Open Resolvers, NTP amplifiers and many other resources that can be abused. Many folks have automated tools that "complain" when these packets come at them but aren't actually accurate in their complaints, like claiming the UDP packets are an attempt to "log-in" to their service, or saying that UDP is TCP or something else. There are a few people (Cymru, Shadowserver, myself via Open*Project) that are doing work to enumerate and provide data on the problem to the community. For each person that complains there's about 100 thank-yous for the data they received. The R&E community have a number of criteria for their collection which is to have rDNS and a website on a name matching that rDNS so people can visit it. There are also lists of "do not probe" that exist: https://www.dns-oarc.net/oarc/services/dontprobe If your security posture can't accept unsolicited packets you perhaps need to move to a whitelist model vs blacklist one for traffic. (Or your policies about this need to be reviewed... I see every IP address I have control over either home or work get scanned by all sorts of malware and evil stuff, if you have to respond to each of them, that's an impractical task). Without S.A.V.E. (BCP-38/84) one can't tell if that origin IP is accurate in any event. - Jared
On 3/31/2014 10:51 PM, Joe wrote:
I received several reports today regarding some scans for udp items from shadowservers hosted out of H.E. Seems to claim to be checking for issues regarding udp issues, amp issues, which I am all fine for, but my issue is this. It trips several IDP/IPS traps pretty much causing issues that I have to resolve. I have one user that is a home user (outside one of my /16) that has seen this as well. Now with that said are these folks that do this going to pay for one of my users that pay per bit for this? Does garbage in to this really provide a garbage clean? I see they are planing on a bunch of other protocols too, so that's nice.
If I was paying per bit I would probably want my ISP to rate limit and firewall lots of traffic before it ever reached my pay-per-bit line. Otherwise I would be paying for huge amounts of unsolicited traffic from everywhere.
I'm not sure where to go with this other than to advise my other folks to drop this traffic from their 184.105.139.64/26 networks and hope for the best regarding my FAP folks.
Regards, -Joe
If you're comfortable that your internal audits are accurate and what these people are doing won't provide you any value, I don't see what harm it would do to block them. Since they also have to worry about botnet authors blocking their traffic, I imagine they might change IP ranges after a while. You might complain to them directly and see if they can add you to a do not poll list. It looks like they have a couple of emails for issues listed here: https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
At the bottom of one of their pages it says this: If you would like us to not scan your network, please let us know and we will remove your networks from the scan. Likewise, if you have anymore questions please feel free to send us an email at: dnsscan [at] shadowserver [dot] org. They are quite responsive to questions. Frank -----Original Message----- From: Joe [mailto:jbfixurpc@gmail.com] Sent: Monday, March 31, 2014 9:51 PM To: NANOG Subject: Just wondering Pardon for the ignorance regarding this. If folks can point me to something I may have missed as a participant for over 14 years, to powering this Alzheimers. I received several reports today regarding some scans for udp items from shadowservers hosted out of H.E. Seems to claim to be checking for issues regarding udp issues, amp issues, which I am all fine for, but my issue is this. It trips several IDP/IPS traps pretty much causing issues that I have to resolve. I have one user that is a home user (outside one of my /16) that has seen this as well. Now with that said are these folks that do this going to pay for one of my users that pay per bit for this? Does garbage in to this really provide a garbage clean? I see they are planing on a bunch of other protocols too, so that's nice. I'm not sure where to go with this other than to advise my other folks to drop this traffic from their 184.105.139.64/26 networks and hope for the best regarding my FAP folks. Regards, -Joe
participants (4)
-
Frank Bulk
-
Jared Mauch
-
Joe
-
Robert Drake