[170573] in North American Network Operators' Group
Re: Just wondering
daemon@ATHENA.MIT.EDU (Robert Drake)
Mon Mar 31 23:44:10 2014
Date: Mon, 31 Mar 2014 23:43:49 -0400
From: Robert Drake <rdrake@direcpath.com>
To: <nanog@nanog.org>
In-Reply-To: <CA+zb_vF2QDjKpf+UH97BDEORRr6Mv-DK+5n4ZyK3DUOVSaK6gQ@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 3/31/2014 10:51 PM, Joe wrote:
>
> I received several reports today regarding some scans for udp items from
> shadowservers hosted out of H.E. Seems to claim to be checking for issues
> regarding udp issues, amp issues, which I am all fine for, but my issue is
> this. It trips several IDP/IPS traps pretty much causing issues that I have
> to resolve. I have one user that is a home user (outside one of my /16)
> that has seen this as well. Now with that said are these folks that do this
> going to pay for one of my users that pay per bit for this? Does garbage in
> to this really provide a garbage clean? I see they are planing on a bunch
> of other protocols too, so that's nice.
If I was paying per bit I would probably want my ISP to rate limit and
firewall lots of traffic before it ever reached my pay-per-bit line.
Otherwise I would be paying for huge amounts of unsolicited traffic from
everywhere.
> I'm not sure where to go with this other than to advise my other folks to
> drop this traffic from their 184.105.139.64/26 networks and hope for the
> best regarding my FAP folks.
>
> Regards,
> -Joe
>
If you're comfortable that your internal audits are accurate and what
these people are doing won't provide you any value, I don't see what
harm it would do to block them. Since they also have to worry about
botnet authors blocking their traffic, I imagine they might change IP
ranges after a while. You might complain to them directly and see if
they can add you to a do not poll list. It looks like they have a
couple of emails for issues listed here:
https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
