Re: SNMP probers

[Daniel McRobb <dwm () ans net>]

> Randy,
>
> > What do folk do about persistent SNMP probers?  I.e. j random clueless sites
> > which keep querying one's backbone router(s).  E.g. this morning I get the
> > NOC shift change report with the folk hammering on our routers as if we were
> > stupid enough to use 'public' as the community string.
>
> The problem isn't so much stupid people as stupid default settings on some
> network tools.  A lot of software exists for the "enterprise" network
> market.  Apparently, the designers of this software don't realize that most
> enterprise IP networks touch the larger, fully connected Internet.  The
> default settings on half a dozen products I've personally used default to
> trying to discover the entire Internet on startup.  
>
> I learned this the hard way a few years back.  Every night before going
> home, I'd re-boot a network monitoring station, which would crash during the
> night.  The station was crashing somewhere in the middle of the discovery of
> net 18.  After the third or fourth attempt at discovering net 18, I got a
> phone call from MIT, and realized why my network monitoring station was
> crashing.  (whoops)
>
> Things got really interesting when I called up the manufacturer.  I asked
> them to please help me stop this software discovery process.  Took me half
> an hour of explaining to convince them that discovering the entire Internet
> wasn't in the best interest of their customers.  Took a new version to
> really stop this "feature".  
>
> > So every day some poor NOC person has to search these folk down with the
> > great tools we have, send email, get told they're nazi idiots, ...
> >
> > So what do folk do about this?
>
> Educate, then assassinate.
>
>
> Seriously, I think some education is needed for the proliferating
> manufacturers of lower end IP management tools.  All of a sudden, there are
> a lot of IP monitoring products out there.  Most all of our customers are
> running some sort of tool to check the status of their LAN workstations,
> etc.  We've been having to educate almost every new customer lately.
>
> Maybe denying some TCP socket at the border router level would stop a lot of
> this?
>
> Regards,
>
> Bill

I wouldn't really blame this on the NMS vendors as much as the lack of
standardized topology information in standard MIBs.  The NMS products
use the brute-force method for a reason... there's little else available
(there's nothing available in many products; MIB-II is (unfortunately)
often the only thing you can really count on across products.  Its sort
of like a discussion here a few months ago about how useless traceroute
can be (though I really would not like to open up that discussion here
again).

I do agree that you can throttle it so it doesn't run amok, and users
shouldn't need to run it often (unless their own network's topology is
changing a lot).

Daniel
~~~~~~

- - - - - - - - - - - - - - - - -