RE: Research - Valid Data Gathering vs. Annoying Other

["Michel Py" <michel () arneill-py sacramento ca us>]

> John K. Lerchey wrote:
> The problem is that many of their "random targets" consider
> the probes to be either malicious in nature, or outright
> attacks. As a result of this, we, of course, get complaints.

[me puts the politician/opportunist suit
on. It's election year, after all].
The one thing I would suggest, if you get complaints, talk to the dude
that wrote the "testing" thing to make it look like an attack than it
currently appears. Vote for me.
[/suit off]

That being said, you might want to read again an excellent post from
Steve Atkins earlier :-)

OMG, someone from China just tried to telnet to my router. I'm calling
the FBI, the CIA and the NSA right away. The vty password is "san-fran"
not "cisco", bozo.


> One suggestion that I received fro a co-worker to help to
> mitigate this is to have the researchers run the experiments
> off of a www host, and to have the default page explain the
> experiment and also provide contact info.

Good idea, but largely useless as described, IMHO. I would suggest a
better way, have the reverse lookup (PTR) of the testing IP address
resolve to something like "see-www-dot-cmu-dot-edu-slash-testing" and
have the explaining web page there; this might help with GWF[1]


> We also discussed having the researchers contact ISPs and other
> large providers to see if they can get permission to use addresses
> in their space as targets, and then providing the ISPs with info
> from the testing.

The answer is no.


> How do you view the issue of experiments that probe random
> sites? Should this be accepted as "reasonable", or should
> it be disallowed? Something in between?

Irrelevant. Each operator and network admin will have a different
opinion about it, and we all filter traffic the way we see fit. You will
not get anything remotely close to a consensus here.


[1] GWF
> Steve Atkins wrote:
> [GWF] Goober With Firewall. Originally from internal jargon
> at abuse () above net - a complaint, for example, that
> "ns1.above.net is hackoring my port 53!" would be, and
> should still be, closed with the sole annotation being "GWF".

Alternate acronym meaning: Goon With Firewall.

GWFes are mostly a by-product of IDS sales droids: first, they find one
of these goober execs to attend a demo, then they crank up their gizmo
that will find "high risk" alarms out of the ordinary network noise,
then the exec hires a cheaper banana^H^H^H^H^H peanut eater aka GWS that
does not know jack and has nothing to do but investigate the IDS alarms.

The only thing that worries me about the recommendation I am about to
make is that it is the same that we collectively used to think was the
appropriate answer to spam (a long time ago): the delete key is your
friend.

Michel.