SNMP probers

Mailman List Mirror (Read Only)
1

What do folk do about persistent SNMP probers? I.e. j random clueless sites
which keep querying one's backbone router(s). E.g. this morning I get the
NOC shift change report with the folk hammering on our routers as if we were
stupid enough to use 'public' as the community string.

mae-east Bad community string from 194.168.51.4
mae-east Bad community string from 193.38.113.216
mae-west Bad community string from 202.85.254.5
mae-west Bad community string from 206.79.240.190
mae-west Bad community string from 193.38.113.216
pdx Bad community string from 204.119.24.200
pen Bad community string from 164.117.144.245
pen Bad community string from 193.38.113.216
paix Bad community string from 204.79.240.190

So every day some poor NOC person has to search these folk down with the
great tools we have, send email, get told they're nazi idiots, ...

So what do folk do about this?

randy

2

What do folk do about persistent SNMP probers? I.e. j random clueless sites
which keep querying one's backbone router(s). E.g. this morning I get the
NOC shift change report with the folk hammering on our routers as if we were
stupid enough to use 'public' as the community string.

(...)

So every day some poor NOC person has to search these folk down with the
great tools we have, send email, get told they're nazi idiots, ...

So what do folk do about this?

So long as they only probe with the "public" string, we ignore it. If
they start trying to guess our strings, then we go after them. Most of
our equipment can tell the difference, and we bug vendors to fix the rest.

3

What do folk do about persistent SNMP probers?
...

So long as they only probe with the "public" string, we ignore it.

We did that at first. Soon we had a bunch of them polling hundreds of times
a day. Clueless and sucky.

randy

4

Design a Go-Away MIB, register it with IANA, convince equipment vendors to
support the MIB such that there is a filter table of allowed addresses for
SNMP queries and anyone not on that list gets the Go-Away MIB. The MIB
just needs a String that says Go Away (or your choice of message) and
a few other items that return random numbers.

Or someone could do a Tony Bates impression and collect the naughty SNMP
prober data from various providers and post a weekly hall of shame report
to this list. If there are a significant number of non-providers then this
list could also be posted on a USENET snmp group and on a web page.

Michael Dillon - Internet & ISP Consulting
Memra Software Inc. - Fax: +1-250-546-3049
http://www.memra.com - E-mail: michael@memra.com