nanog mailing list archives

Re: [EXTERNAL] RE: shadowserver.org

From: "Compton, Rich A" <Rich.Compton () charter com>
Date: Mon, 28 Jun 2021 20:33:46 +0000

If you want to identify which peering links are sending you spoofed DDoS amplification request traffic and which
(Shadowserver identified) IPs in your network the traffic is going to, please take a look at my Tattle Tale project:
https://github.com/racompton/tattle-tale
Identify which peers are sending you the spoofed UDP amplification traffic and "encourage" them to follow BCP 38/84!
The project has this file to identify legitimate scanning traffic:
https://github.com/racompton/tattle-tale/blob/main/logstash/conf.d/81-filter-scanners.conf

-Rich

On 6/28/21, 1:29 PM, "NANOG on behalf of Jean St-Laurent via NANOG" <nanog-bounces+rich.compton=charter.com () nanog
org on behalf of nanog () nanog org> wrote:

CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking
links, or following guidance.

Great list.

ShadowServer is there twice on page 7. They must be noisy 😉

Jean

-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Hank Nussbacher
Sent: June 28, 2021 2:50 PM
To: nanog () nanog org
Subject: Re: shadowserver.org

> What is the difference between shodan.io and shadowserver.org ? Jean
Just those 2? Greynoise maps them all. See an old preso from 2018:

https://www.slideshare.net/andrewwantsyou/identifying-and-correlating-internetwide-scan-traffic-to-newsworthy-security-events
See slide 7 for a 4 year old list which has only grown :-)

-Hank

E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain
confidential and/or legally privileged information. If you are not the intended recipient of this message or if this
message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this
message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination,
distribution, copying, or storage of this message or any attachment is strictly prohibited.

Current thread:

RE: shadowserver.org, (continued)
- - - RE: shadowserver.org Jean St-Laurent via NANOG (Jun 28)
    - Re: shadowserver.org Jim (Jun 28)
    - Re: shadowserver.org Fernando Gont via NANOG (Jun 28)
    - Re: shadowserver.org Nathaniel Ferguson (Jun 28)
    - Re: shadowserver.org Doug McIntyre (Jun 28)
    - Re: shadowserver.org Matthew Petach (Jun 28)
- Re: shadowserver.org Fernando Gont via NANOG (Jun 28)
  - Re: shadowserver.org Jay Hennigan (Jun 28)
- Re: shadowserver.org Hank Nussbacher (Jun 28)
  - RE: shadowserver.org Jean St-Laurent via NANOG (Jun 28)
    - Re: [EXTERNAL] RE: shadowserver.org Compton, Rich A (Jun 28)