[170572] in North American Network Operators' Group
Re: Just wondering
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Mar 31 23:03:51 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CA+zb_vF2QDjKpf+UH97BDEORRr6Mv-DK+5n4ZyK3DUOVSaK6gQ@mail.gmail.com>
Date: Mon, 31 Mar 2014 23:03:26 -0400
To: Joe <jbfixurpc@gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 31, 2014, at 10:51 PM, Joe <jbfixurpc@gmail.com> wrote:
> Pardon for the ignorance regarding this. If folks can point me to =
something
> I may have missed as a participant for over 14 years, to powering this
> Alzheimers.
>=20
> I received several reports today regarding some scans for udp items =
from
> shadowservers hosted out of H.E. Seems to claim to be checking for =
issues
> regarding udp issues, amp issues, which I am all fine for, but my =
issue is
> this. It trips several IDP/IPS traps pretty much causing issues that I =
have
> to resolve. I have one user that is a home user (outside one of my =
/16)
> that has seen this as well. Now with that said are these folks that do =
this
> going to pay for one of my users that pay per bit for this? Does =
garbage in
> to this really provide a garbage clean? I see they are planing on a =
bunch
> of other protocols too, so that's nice.
>=20
> I'm not sure where to go with this other than to advise my other folks =
to
> drop this traffic from their 184.105.139.64/26 networks and hope for =
the
> best regarding my FAP folks.
There are lots of people who think they need to monitor and respond to =
every
packet that they didn't "expect".
Sadly we are in a state of the world where these surveys have become =
necessary
both as part of people getting their PHD, but also to provide =
operational data
to network "first responders" in closing down Open Resolvers, NTP =
amplifiers
and many other resources that can be abused.
Many folks have automated tools that "complain" when these packets come =
at them
but aren't actually accurate in their complaints, like claiming the UDP =
packets
are an attempt to "log-in" to their service, or saying that UDP is TCP =
or something
else.
There are a few people (Cymru, Shadowserver, myself via Open*Project) =
that are
doing work to enumerate and provide data on the problem to the =
community.
For each person that complains there's about 100 thank-yous for the data =
they
received.
The R&E community have a number of criteria for their collection which =
is to have
rDNS and a website on a name matching that rDNS so people can visit it.
There are also lists of "do not probe" that exist:
https://www.dns-oarc.net/oarc/services/dontprobe
If your security posture can't accept unsolicited packets you perhaps =
need to move to a whitelist model vs blacklist one for traffic. (Or =
your policies about this need to be reviewed... I see every IP address I =
have control over either home or work get scanned by all sorts of =
malware and evil stuff, if you have to respond to each of them, that's =
an impractical task).
Without S.A.V.E. (BCP-38/84) one can't tell if that origin IP is =
accurate in any event.
- Jared=
