What do folk do about persistent SNMP probers? I.e. j random clueless sites which keep querying one's backbone router(s). E.g. this morning I get the NOC shift change report with the folk hammering on our routers as if we were stupid enough to use 'public' as the community string.
mae-east Bad community string from 194.168.51.4 mae-east Bad community string from 193.38.113.216 mae-west Bad community string from 202.85.254.5 mae-west Bad community string from 206.79.240.190 mae-west Bad community string from 193.38.113.216 pdx Bad community string from 204.119.24.200 pen Bad community string from 164.117.144.245 pen Bad community string from 193.38.113.216 paix Bad community string from 204.79.240.190
So every day some poor NOC person has to search these folk down with the great tools we have, send email, get told they're nazi idiots, ... So what do folk do about this? randy
On Wed, 9 Apr 1997, Randy Bush wrote:
What do folk do about persistent SNMP probers? I.e. j random clueless sites which keep querying one's backbone router(s). E.g. this morning I get the NOC shift change report with the folk hammering on our routers as if we were stupid enough to use 'public' as the community string. (...) So every day some poor NOC person has to search these folk down with the great tools we have, send email, get told they're nazi idiots, ...
So what do folk do about this?
So long as they only probe with the "public" string, we ignore it. If they start trying to guess our strings, then we go after them. Most of our equipment can tell the difference, and we bug vendors to fix the rest. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com
Randy Bush wrote : |-> What do folk do about persistent SNMP probers? I.e. j random clueless site |-> s |-> which keep querying one's backbone router(s). E.g. this morning I get the |-> NOC shift change report with the folk hammering on our routers as if we wer |-> e |-> stupid enough to use 'public' as the community string. |-> |-> > mae-east Bad community string from 194.168.51.4 |-> > mae-east Bad community string from 193.38.113.216 |-> > mae-west Bad community string from 202.85.254.5 |-> > mae-west Bad community string from 206.79.240.190 |-> > mae-west Bad community string from 193.38.113.216 |-> > pdx Bad community string from 204.119.24.200 |-> > pen Bad community string from 164.117.144.245 |-> > pen Bad community string from 193.38.113.216 |-> > paix Bad community string from 204.79.240.190 |-> |-> So every day some poor NOC person has to search these folk down with the |-> great tools we have, send email, get told they're nazi idiots, ... |-> |-> So what do folk do about this? |-> If you follow these up (generally) they find a bit of over-zealous netmon kit trying public on the whole Internet, and then go and learn how to filter this. OpenView, for example when it first does it's discovery phase has a nice habit of finding some clueless ISP at, say, Mae-East, who *does* use "public" as a comstr and then promptly probes all of _their_ customers, peers etc. also. It is possible to stop OV doing this and, indeed, it stops itself when it runs out of SNMPable routers. People that consistently do this are not normally trying to hack or be "over curious", just a bit lax or clueless with the software. AFAICS, we get ~2000 packets a week with a "bad community string" on the border routers, and only ~20 packets a week further in, so I would be interested in knowing how much of this is caused by a dodgy bit of freeware ;) The only time I'd follow these up is if we saw the trend being broken by someone trying it *lots* of times to particular routers; but then, perhaps if we spent a few minutes emailing people the trend would die ? |-> randy |-> Cheers, Lyndon -- Penis Envy is a total Phallusy.
On Wed, 9 Apr 1997, Randy Bush wrote:
So every day some poor NOC person has to search these folk down with the great tools we have, send email, get told they're nazi idiots, ...
So what do folk do about this?
Design a Go-Away MIB, register it with IANA, convince equipment vendors to support the MIB such that there is a filter table of allowed addresses for SNMP queries and anyone not on that list gets the Go-Away MIB. The MIB just needs a String that says Go Away (or your choice of message) and a few other items that return random numbers. Or someone could do a Tony Bates impression and collect the naughty SNMP prober data from various providers and post a weekly hall of shame report to this list. If there are a significant number of non-providers then this list could also be posted on a USENET snmp group and on a web page. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-250-546-3049 http://www.memra.com - E-mail: michael@memra.com
On Wed, 9 Apr 1997, Randy Bush wrote:
So every day some poor NOC person has to search these folk down with the great tools we have, send email, get told they're nazi idiots, ...
So what do folk do about this?
Or someone could do a Tony Bates impression and collect the naughty SNMP prober data from various providers and post a weekly hall of shame report to this list. If there are a significant number of non-providers then this list could also be posted on a USENET snmp group and on a web page.
Data from our site would include a certain bi-coastal router vendor (who is not Cisco) that likes to use one of our class B networks for "internal testing purposes", and occassionally leaks their SNMP testing out to the Internet. Our solution was to block SNMP access from non-local sites, regardless of community string. It doesn't prevent the routers from logging the access violation, but it does prevent the remote prober from getting any useful information. Scott M. Ballew Purdue Data Network Purdue University
participants (5)
-
Lyndon Levesley -
Michael Dillon -
randy@psg.com -
Scott M. Ballew -
Todd Graham Lewis