The second one runs a wall display in the department, it shouldn't be probing anything. It's a reassigned machine, so perhaps a previous user of that machine was doing some research scanning too. Sorry about that.
At the time I put it on the list it had the reverse DNS ipsecscanner.sysnet.ucsd.edu and that is what it was doing. I removed it now. A problem of my method of blocking is that I cannot keep stats of activity of the address, so addresses may remain on the list far too long. But again, there are enough other entries for "research" from several other US and German universities. It appears to be a popular way of annoying people.
Of course the interesting thing about the UCSD ones was that the traffic came through the tunnel even though our network is BGP routed. Not sure if it is still like that, I believe you changed something there.
Several scanners offer opt-out but I think the research is mainly to see what people do when removal is promised but not done or only very temporarily. For example, I contacted the shodan.io guy twice for removal from his scanner, both times he removed our network only to re-add it within days. He probably expects that you will check after he answered the mail, see it is gone, and then not pay attention to it so he can continue his abuse.
Rob
On Thu, May 11, 2017 at 01:09:45AM +0200, Rob Janssen wrote:
Of course the interesting thing about the UCSD ones was that the traffic came through the tunnel even though our network is BGP routed. Not sure if it is still like that, I believe you changed something there.
Yes, we lowered the priority of the default 44/8 route so that the routes learned via BGP would take precedence. That was some time ago. It shouldn't be using the tunnel route anymore. - Brian
-
Brian Kantor -
Rob Janssen