RE: Research - Valid Data Gathering vs. Annoying Other
John K. Lerchey wrote: The problem is that many of their "random targets" consider the probes to be either malicious in nature, or outright attacks. As a result of this, we, of course, get complaints.
[me puts the politician/opportunist suit on. It's election year, after all]. The one thing I would suggest, if you get complaints, talk to the dude that wrote the "testing" thing to make it look like an attack than it currently appears. Vote for me. [/suit off] That being said, you might want to read again an excellent post from Steve Atkins earlier :-) OMG, someone from China just tried to telnet to my router. I'm calling the FBI, the CIA and the NSA right away. The vty password is "san-fran" not "cisco", bozo.
One suggestion that I received fro a co-worker to help to mitigate this is to have the researchers run the experiments off of a www host, and to have the default page explain the experiment and also provide contact info.
Good idea, but largely useless as described, IMHO. I would suggest a better way, have the reverse lookup (PTR) of the testing IP address resolve to something like "see-www-dot-cmu-dot-edu-slash-testing" and have the explaining web page there; this might help with GWF[1]
We also discussed having the researchers contact ISPs and other large providers to see if they can get permission to use addresses in their space as targets, and then providing the ISPs with info from the testing.
The answer is no.
How do you view the issue of experiments that probe random sites? Should this be accepted as "reasonable", or should it be disallowed? Something in between?
Irrelevant. Each operator and network admin will have a different opinion about it, and we all filter traffic the way we see fit. You will not get anything remotely close to a consensus here. [1] GWF
Steve Atkins wrote: [GWF] Goober With Firewall. Originally from internal jargon at abuse@above.net - a complaint, for example, that "ns1.above.net is hackoring my port 53!" would be, and should still be, closed with the sole annotation being "GWF".
Alternate acronym meaning: Goon With Firewall. GWFes are mostly a by-product of IDS sales droids: first, they find one of these goober execs to attend a demo, then they crank up their gizmo that will find "high risk" alarms out of the ordinary network noise, then the exec hires a cheaper banana^H^H^H^H^H peanut eater aka GWS that does not know jack and has nothing to do but investigate the IDS alarms. The only thing that worries me about the recommendation I am about to make is that it is the same that we collectively used to think was the appropriate answer to spam (a long time ago): the delete key is your friend. Michel.
participants (1)
-
Michel Py