SNMP probers


>What do folk do about persistent SNMP probers? I.e. j random clueless sites
>which keep querying one's backbone router(s). E.g. this morning I get the
>NOC shift change report with the folk hammering on our routers as if we were
>stupid enough to use 'public' as the community string.

The problem isn't so much stupid people as stupid default settings on some
network tools. A lot of software exists for the "enterprise" network
market. Apparently, the designers of this software don't realize that most
enterprise IP networks touch the larger, fully connected Internet. The
default settings on half a dozen products I've personally used default to
trying to discover the entire Internet on startup.

I learned this the hard way a few years back. Every night before going
home, I'd re-boot a network monitoring station, which would crash during the
night. The station was crashing somewhere in the middle of the discovery of
net 18. After the third or fourth attempt at discovering net 18, I got a
phone call from MIT, and realized why my network monitoring station was
crashing. (whoops)

Things got really interesting when I called up the manufacturer. I asked
them to please help me stop this software discovery process. Took me half
an hour of explaining to convince them that discovering the entire Internet
wasn't in the best interest of their customers. Took a new version to
really stop this "feature".

>So every day some poor NOC person has to search these folk down with the
>great tools we have, send email, get told they're nazi idiots, ...
>So what do folk do about this?

Educate, then assassinate.

Seriously, I think some education is needed for the proliferating
manufacturers of lower end IP management tools. All of a sudden, there are
a lot of IP monitoring products out there. Most all of our customers are
running some sort of tool to check the status of their LAN workstations,
etc. We've been having to educate almost every new customer lately.

Maybe denying some TCP socket at the border router level would stop a lot of



I wouldn't really blame this on the NMS vendors as much as the lack of
standardized topology information in standard MIBs. The NMS products
use the brute-force method for a reason... there's little else available
(there's nothing available in many products; MIB-II is (unfortunately)
often the only thing you can really count on across products. Its sort
of like a discussion here a few months ago about how useless traceroute
can be (though I really would not like to open up that discussion here

I do agree that you can throttle it so it doesn't run amok, and users
shouldn't need to run it often (unless their own network's topology is
changing a lot).