Re: Google's Safe Browsing Alerts for Network Administrators

[Jared Mauch <jared () puck nether net>]

Hat: open.*project person..

With the complaints we get often the people aren't properly secured, they are just seeing the noise in their logs or 
they just started logging. 

We often get more complaints after the first six months as someone says "oh hey, we updated our IPS and now see the NTP 
traffic that we didn't see in 2000-2015, lets complain about it". It's good they have visibility now but most people 
don't get the true issue or impact, and don't even appreciate it when they are on the receiving end of a 100-250Gb/s 
attack from these services. 

Take a moment to read the Christian Rossow paper called "amplification Hell".

While amplifiers are only a part of the equation, the trend of fixes is important to track so people understand the 
state of the fixes. 

Jared Mauch

> On Jan 12, 2015, at 1:38 PM, Frank Bulk <frnkblk () iname com> wrote:
>
> In regards to ShadowServer, I don’t think they’re randomly scanning networks, and neither are folks like OpenResolver 
> – I think it’s pretty systematic, albeit from perhaps only a certain point of view on the Internet.  If their scans 
> are being dropped and logged, that’s great – that means someone has measures in place to mitigate attacks that 
> leverage those UDP protocols.   But for those who use their output to better secure their own and clients’ endpoint 
> devices, it’s much appreciated.  If it’s really just a drop in the ocean, what does it matter to you?