[192242] in North American Network Operators' Group
Re: Death of the Internet, Film at 11
daemon@ATHENA.MIT.EDU (Victor Kuarsingh)
Sun Oct 23 10:34:49 2016
X-Original-To: nanog@nanog.org
To: clinton mielke <clinton.mielke@gmail.com>,
Florian Weimer <fw@deneb.enyo.de>
From: Victor Kuarsingh <victor@jvknet.com>
Date: Sun, 23 Oct 2016 10:34:50 -0400
In-Reply-To: <CANq0y_3ijoGwwmw66s7Pg8_+-cBkzVBBEcypfJ3qhUtsjiXeew@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Clinton,
On 10/23/2016 8:12 AM, clinton mielke wrote:
>
> My question for you guys, since Im a theoretician and not a seasoned
> operator: how feasible or legal is it to find telnet scanning activity or
> any of these passwords in high-bandwidth netflows? If its feasible, then
> this at least gets you the active scanning population of hosts, along with
> the IPs of all of their victims.
If there is enough concentration of common flows from a certain set of
IPs, it's quite possible to detect the scanning activity using sampled
flow data if one were collecting such data. I say sampled as 1-for-1
flow data collection is not common.
You would not see packet content just using flow data.
regards,
Victor K
