Educause Security Discussion mailing list archives

Re: Researcher Activities

From: John Kristoff <jtk () DEPAUL EDU>
Date: Wed, 11 Jun 2008 10:41:35 -0500

On Wed, 11 Jun 2008 10:25:33 -0500
Willis Marti <wmarti () TAMU EDU> wrote:

A lot of those and similar activities may set off (false) warnings
about attacks or infected machines and can be considered
"unfriendly". Certainly we don't let students play around that way.


If it is legitimate research I would support it.  I've done this sort
of thing so I'll share more based on my experience.

Do you support that kind of research? Ban it? Ignore it?
How about complaint handling?


The source of the probes should come from a host that can be easily
identified with a PTR query as being part of a research project (e.g.
research-icmp-prober.cs.tamu.edu).  There should be a default web page
at the source that identified the project, the researchers and contact
information.  You should pre-notify a select group of ops people that
this will be happening (e.g. this list, NANOG, UNISOG, nsp-security and
so on).  Have a standard template response related to probes ready to
go.  Something along the lines of "We are sorry for any concern this
may have caused.  You may filter these packets or that host if you
desire, but we prefer you did not.  They are intended to be benign and
not cause any operational problems. This is related to an Internet
mapping/discovery/research project by <insert name/group>. etc..."

You will surely get some emails.  When you reply, and you absolutely
must do so, most if not all will simply accept the reason and move on.
You might have someone that is too annoyed and wants you to blacklist
their address space.  I don't think you're under any obligation to do
that, but it is something to consider if this will be a recurring
practice.

Note, some type of probes are likely to generate more complaints than
others.  A TCP port 80 SYN may not attract much attention.  A TCP 22
may attract more.  If the probes hit a netblock in sequential order and
quickly, that will attract more attention than if the destination
addresses are highly randomized and spread out over a significant
length of time.

John

Current thread:

Researcher Activities Willis Marti (Jun 11)
- <Possible follow-ups>
- Re: Researcher Activities John Kristoff (Jun 11)
- Re: Researcher Activities Mark Poepping (Jun 12)
- Re: Researcher Activities David Gillett (Jun 16)
- Re: Researcher Activities Cal Frye (Jun 16)
- Re: Researcher Activities HALL, NATHANIEL D. (Jun 17)