It's interesting to see the variety in responses to my email on both the AMPR list and unicasted to me.  From my perspective, I think it's totally required for people running servers exposed to the Internet to scan them and make sure they are only exposing what they expect.  That said, IMHO, those scans should *only* be run by be, at a rate I'm expecting it, and when I expect it.  This level of security detail is arguably no one else's business.  I like some of the "exetreme" analogies that vk2dgy came up where someone is essentially turning every doorknob, trying every window, etc. just to see if I missed something.  By companies exposing all this this information publicly, they are enabling bad actors to attack found misconfigured / possibly vulnerable systems for malice, profit, etc.  This is total crap and only makes the Internet a more dangerous place.

Why did I personally notice this scanning traffic the other day?  I have my AMPR systems on a physically separate network switch so I can "see the traffic" and just glancing at tit, I could tell it's packet-per-second (PPS) rate was VERY high.  I didn't measure it but it was easily in the >100 PPS rate which was highly unusual.  Yes, some people will say "Welcome to the Internet... get used to it".  That sucks but I can't say I shouldn't expect that.  What I can say is I DON'T expect this on my AMPR tunnel.  I don't think I should expect these kinds of scans or any other form of common Internet spam on my AMPR tunnel.   Yes, I do have my IP listed in AMPR DNS which also tells the UCSD AMPR GW to forward any Internet sourced Internet traffic to my IP. 


I realize I can remove my AMPR IP from DNS to "fix" this but I find DNS to be very useful.  I also find having Internet access to my AMPR host is occasionally useful as well but maybe I should just block the UCSD AMPR IP address for everything except RIP updates.

--David
KI6ZHD




On 01/24/2023 03:47 PM, Tim Požar via 44net wrote:
I actually find the censys data useful.  We have a /20 from ARIN and I periodically look at what censys shows to see how the space is being used or if we have some services that are showing up that shouldn't be.

Tim

On 1/24/23 1:26 PM, David Ranch via 44net wrote:

I was recently seeing a *lot* of scanning traffic from some of these censys-scanner.com IPs on my AMPR subnet. Personally, I consider crap like this as an attack yet people and companies think what they are doing is completely OK.  Grrrr..  I imagine a lot of other AMPR subnets are also getting scanned which I don't think is OK.  Maybe we can get their subnets BLOCKED at the UCSD Internet gateway?

https://support.censys.io/hc/en-us/articles/360043177092-from-faq

--David
KI6ZHD
_______________________________________________
44net mailing list -- 44net@mailman.ampr.org
To unsubscribe send an email to 44net-leave@mailman.ampr.org