I want to make this forum aware of Google's "Safe Browsing Alerts for
Network Administrators" (https://www.google.com/safebrowsing/alerts/). I've
had a link to their diagnostic page for several years
(https://www.google.com/safebrowsing/diagnostic?site=AS:####&hl=it-it, where
#### is your ASN), but I didn't know that Google actually had a way to alert
ASN owners of new incidents. I checked NANOG's archive and haven't ever
seen it mentioned, so I thought there might be more like me that weren't
aware.
My problem with Google's "Safe Browsing" alerts is that from the admin
side they rarely are useful/useable. They make a big loud noisy
complaint without ANYTHING to substantiate what the issue is to
correct it. You're left searching your own site trying to figure out
what in the heck it's complaining about.
I've not found it very usefull. As for Shadowserver.org I really wish folks
trying to save the internet from mis-configurations would stop randomly
scanning networks to fix. These folks are one of many "do-gooders" that are
adding to the traffic being dropped and logged. Its only contibuting to the
daily clutter of problem folk already poking and prodding.
Thanks for that feedback on Google’s Safe Browsing Alerts. We’ll have to see how that works out for us over time.
In regards to ShadowServer, I don’t think they’re randomly scanning networks, and neither are folks like OpenResolver – I think it’s pretty systematic, albeit from perhaps only a certain point of view on the Internet. If their scans are being dropped and logged, that’s great – that means someone has measures in place to mitigate attacks that leverage those UDP protocols. But for those who use their output to better secure their own and clients’ endpoint devices, it’s much appreciated. If it’s really just a drop in the ocean, what does it matter to you?
With the complaints we get often the people aren't properly secured, they are just seeing the noise in their logs or they just started logging.
We often get more complaints after the first six months as someone says "oh hey, we updated our IPS and now see the NTP traffic that we didn't see in 2000-2015, lets complain about it". It's good they have visibility now but most people don't get the true issue or impact, and don't even appreciate it when they are on the receiving end of a 100-250Gb/s attack from these services.
Take a moment to read the Christian Rossow paper called "amplification Hell".
While amplifiers are only a part of the equation, the trend of fixes is important to track so people understand the state of the fixes.