Not to hijack, but related to blocking scans, I am part of a community project to block bad actors via BGP. Currently we are advertising several thousand /32s detected doing SSH attempts. More to come in the future but if anyone is interested check out www.projectton.com you can also do CC blocking via BGP and BOGONS.

-Colin / VA6CCB

From: Tom Hayward via 44net <44net@mailman.ampr.org>
Reply-To: Tom Hayward <esarfl@gmail.com>
Date: Wednesday, January 25, 2023 at 1:46 PM
To: "44net@mailman.ampr.org" <44net@mailman.ampr.org>
Subject: [44net] Re: Request: Blocking censys-scanner.com scans on AMPR subnets

On Tue, Jan 24, 2023 at 1:51 PM Rob PE1CHL via 44net <44net@mailman.ampr.org> wrote:

It is relatively easy to autoblock such scanners at a gateway due to the large address space that we have, and its relatively sparse use.
Once you notice a lot of incoming traffic on unallocated subnets, you know it is from a scanner.

We do this for HamWAN's (BGP-announced) address space. We have a couple intentionally-dark IP addresses, and if the edge routers detect packets destined to these addresses, the source gets blocked in the firewall.

Our reasoning is something I haven't seen addressed in this thread yet. Beyond the edge routers, there are parts of the network that transmit on amateur radio. As control operators of this network, we have an obligation to ensure that regulations are followed as closely as possible. These scanners are traffic not initiated by an amateur radio operator, so we try to block them from reaching the part of the network that uses radio.

Tom KD7LXL