SNMP probers

Lyndon Levesley lol at xara.net
Wed Apr 9 15:54:50 UTC 1997


Randy Bush wrote :
|-> What do folk do about persistent SNMP probers?  I.e. j random clueless site
|-> s
|-> which keep querying one's backbone router(s).  E.g. this morning I get the
|-> NOC shift change report with the folk hammering on our routers as if we wer
|-> e
|-> stupid enough to use 'public' as the community string.
|-> 
|-> > mae-east	Bad community string from 194.168.51.4
|-> > mae-east	Bad community string from 193.38.113.216
|-> > mae-west	Bad community string from 202.85.254.5
|-> > mae-west	Bad community string from 206.79.240.190
|-> > mae-west	Bad community string from 193.38.113.216
|-> > pdx		Bad community string from 204.119.24.200
|-> > pen		Bad community string from 164.117.144.245
|-> > pen		Bad community string from 193.38.113.216
|-> > paix		Bad community string from 204.79.240.190
|-> 
|-> So every day some poor NOC person has to search these folk down with the
|-> great tools we have, send email, get told they're nazi idiots, ...
|-> 
|-> So what do folk do about this?
|-> 

 If you follow these up (generally) they find a bit of over-zealous 
netmon kit trying public on the whole Internet, and then go and learn 
how to filter this. OpenView, for example when it first does it's 
discovery phase has a nice habit of finding some clueless ISP at, 
say, Mae-East, who *does* use "public" as a comstr and then promptly 
probes all of _their_ customers, peers etc. also. It is possible to 
stop OV doing this and, indeed, it stops itself when it runs out of 
SNMPable routers. People that consistently do this are not normally 
trying to hack or be "over curious", just a bit lax or clueless with 
the software.

 AFAICS, we get ~2000 packets a week with a "bad community string" on 
the border routers, and only ~20 packets a week further in, so I 
would be interested in knowing how much of this is caused by a dodgy 
bit of freeware ;)

 The only time I'd follow these up is if we saw the trend being 
broken by someone trying it *lots* of times to particular routers; 
but then, perhaps if we spent a few minutes emailing people the trend 
would die ?

|-> randy
|-> 

Cheers,

Lyndon


--
Penis Envy is a total Phallusy.







More information about the NANOG mailing list