10 May
2017
10 May
'17
6:09 p.m.
The second one
runs a wall display in the department, it shouldn't be probing anything.
It's a reassigned machine, so perhaps a previous user of that machine
was doing some research scanning too. Sorry about that.
At the time I put it on the list it had the reverse DNS ipsecscanner.sysnet.ucsd.edu
and that is what it was doing. I removed it now. A problem of my method of blocking
is that I cannot keep stats of activity of the address, so addresses may remain on the
list far too long.
But again, there are enough other entries for "research" from several other US
and
German universities. It appears to be a popular way of annoying people.
Of course the interesting thing about the UCSD ones was that the traffic came through
the tunnel even though our network is BGP routed. Not sure if it is still like that, I
believe
you changed something there.
Several scanners offer opt-out but I think the research is mainly to see what people do
when removal is promised but not done or only very temporarily. For example, I
contacted the shodan.io guy twice for removal from his scanner, both times he removed
our network only to re-add it within days. He probably expects that you will check after
he answered the mail, see it is gone, and then not pay attention to it so he can continue
his abuse.
Rob