nanog mailing list archives

Re: Russian Anal Probing + Malware


From: Rich Kulawiec <rsk () gsp org>
Date: Sun, 23 Jun 2019 13:14:05 -0400

On Fri, Jun 21, 2019 at 05:13:35PM -0700, Ronald F. Guilmette wrote:
Is there anybody on this list who keeps firewall logs and who
DOESN'T have numerous hits recorded therein from one or more
of the following IP addresses?

Well, I *did*, but having noticed their activities and grown tired of
them, I now just drop their traffic on the floor (and log it).

They are one of several operations that I've noticed who have taken it
upon themselves to poke at open (and closed) ports without bothering
to ask.  Assuming for a moment the most charitable interpretation of
their collective actions -- that they are earnest researching problems
with the intention of helping to solve them -- this is still highly
problematic for two reasons:

1. They didn't ask permission.

2. Whether they realize it or not, they're building a target.  When,
not if, their results database(s) are compromised, they will have
furnished the attackers with a comprehensive target list, painstakingly
gathered at no cost to them and thoughtfully annotated with whatever
metadata has been collected.

---rsk


Current thread: