Educause Security Discussion mailing list archives
Re: Researcher Activities
From: John Kristoff <jtk () DEPAUL EDU>
Date: Wed, 11 Jun 2008 10:41:35 -0500
On Wed, 11 Jun 2008 10:25:33 -0500 Willis Marti <wmarti () TAMU EDU> wrote:
A lot of those and similar activities may set off (false) warnings about attacks or infected machines and can be considered "unfriendly". Certainly we don't let students play around that way.
If it is legitimate research I would support it. I've done this sort of thing so I'll share more based on my experience.
Do you support that kind of research? Ban it? Ignore it? How about complaint handling?
The source of the probes should come from a host that can be easily identified with a PTR query as being part of a research project (e.g. research-icmp-prober.cs.tamu.edu). There should be a default web page at the source that identified the project, the researchers and contact information. You should pre-notify a select group of ops people that this will be happening (e.g. this list, NANOG, UNISOG, nsp-security and so on). Have a standard template response related to probes ready to go. Something along the lines of "We are sorry for any concern this may have caused. You may filter these packets or that host if you desire, but we prefer you did not. They are intended to be benign and not cause any operational problems. This is related to an Internet mapping/discovery/research project by <insert name/group>. etc..." You will surely get some emails. When you reply, and you absolutely must do so, most if not all will simply accept the reason and move on. You might have someone that is too annoyed and wants you to blacklist their address space. I don't think you're under any obligation to do that, but it is something to consider if this will be a recurring practice. Note, some type of probes are likely to generate more complaints than others. A TCP port 80 SYN may not attract much attention. A TCP 22 may attract more. If the probes hit a netblock in sequential order and quickly, that will attract more attention than if the destination addresses are highly randomized and spread out over a significant length of time. John
Current thread:
- Researcher Activities Willis Marti (Jun 11)
- <Possible follow-ups>
- Re: Researcher Activities John Kristoff (Jun 11)
- Re: Researcher Activities Mark Poepping (Jun 12)
- Re: Researcher Activities David Gillett (Jun 16)
- Re: Researcher Activities Cal Frye (Jun 16)
- Re: Researcher Activities HALL, NATHANIEL D. (Jun 17)