RE: Research - Valid Data Gathering vs. Annoying Other

John K. Lerchey wrote:
The problem is that many of their "random targets" consider
the probes to be either malicious in nature, or outright
attacks. As a result of this, we, of course, get complaints.

[me puts the politician/opportunist suit
on. It's election year, after all].
The one thing I would suggest, if you get complaints, talk to the dude
that wrote the "testing" thing to make it look like an attack than it
currently appears. Vote for me.
[/suit off]

That being said, you might want to read again an excellent post from
Steve Atkins earlier :slight_smile:

OMG, someone from China just tried to telnet to my router. I'm calling
the FBI, the CIA and the NSA right away. The vty password is "san-fran"
not "cisco", bozo.

One suggestion that I received fro a co-worker to help to
mitigate this is to have the researchers run the experiments
off of a www host, and to have the default page explain the
experiment and also provide contact info.

Good idea, but largely useless as described, IMHO. I would suggest a
better way, have the reverse lookup (PTR) of the testing IP address
resolve to something like "see-www-dot-cmu-dot-edu-slash-testing" and
have the explaining web page there; this might help with GWF[1]

We also discussed having the researchers contact ISPs and other
large providers to see if they can get permission to use addresses
in their space as targets, and then providing the ISPs with info
from the testing.

The answer is no.

How do you view the issue of experiments that probe random
sites? Should this be accepted as "reasonable", or should
it be disallowed? Something in between?

Irrelevant. Each operator and network admin will have a different
opinion about it, and we all filter traffic the way we see fit. You will
not get anything remotely close to a consensus here.

[1] GWF

Steve Atkins wrote:
[GWF] Goober With Firewall. Originally from internal jargon
at abuse@above.net - a complaint, for example, that
"ns1.above.net is hackoring my port 53!" would be, and
should still be, closed with the sole annotation being "GWF".

Alternate acronym meaning: Goon With Firewall.

GWFes are mostly a by-product of IDS sales droids: first, they find one
of these goober execs to attend a demo, then they crank up their gizmo
that will find "high risk" alarms out of the ordinary network noise,
then the exec hires a cheaper banana^H^H^H^H^H peanut eater aka GWS that
does not know jack and has nothing to do but investigate the IDS alarms.

The only thing that worries me about the recommendation I am about to
make is that it is the same that we collectively used to think was the
appropriate answer to spam (a long time ago): the delete key is your
friend.

Michel.