Re: PSA University of Michigan research IP space

2017-12-08 Thread Richard 


> Date: Friday, December 08, 2017 10:07:58 +
> From: Allen Coates 
> 
> On 08/12/17 03:59, Viktor Dukhovni wrote:
>> 
>> 
>>> On Dec 7, 2017, at 9:14 PM, li...@lazygranch.com wrote:
>>> 
>>> http://researchscan288.eecs.umich.edu/
>>> I never could find the research IP space and my email went
>>> unanswered. I just blocked the whole university. Link has the IP
>>> space as listed below:
>>> 141.212.121.0/24 
>>> 141.212.122.0/24
>> 
>> Seems rather an overreaction. So a few bots scan your system now
>> and then, for socially beneficial research purposes[1].  Does it
>> really make sense to block an entire university to try to avoid
>> this?
>> 
> 
> The netblocks (above) are not the whole university, but only the
> range used by the research scans.
> 
> The website (also above) explains what the research is all about,
> and should you wish to opt out of the research, invites you to drop
> the aforementioned netblocks in your firewall.
> 
> To me, this seems a very reasonable and equitable arrangement.
> 
> Allen C

Correct, hardly the "whole university" (or even the "research IP
space"). It's about 500 ipnumbers used by a sub-section of the
college of engineering. For a better sense of the university's
allocations, see the "related networks" link at:

Re: PSA University of Michigan research IP space

2017-12-08 Thread Allen Coates 


On 08/12/17 03:59, Viktor Dukhovni wrote:
> 
> 
>> On Dec 7, 2017, at 9:14 PM, li...@lazygranch.com wrote:
>>
>> http://researchscan288.eecs.umich.edu/
>> I never could find the research IP space and my email went unanswered.
>> I just blocked the whole university. Link has the IP space as listed
>> below:
>> 141.212.121.0/24 
>> 141.212.122.0/24
> 
> Seems rather an overreaction. So a few bots scan your system now and then,
> for socially beneficial research purposes[1].  Does it really make sense
> to block an entire university to try to avoid this?
> 

The netblocks (above) are not the whole university, but only the range
used by the research scans.

The website (also above) explains what the research is all about, and
should you wish to opt out of the research, invites you to drop the
aforementioned netblocks in your firewall.

To me, this seems a very reasonable and equitable arrangement.

Allen C

Re: PSA University of Michigan research IP space

2017-12-08 Thread li...@lazygranch.com 
On Thu, 7 Dec 2017 22:59:46 -0500
Viktor Dukhovni  wrote:

> > On Dec 7, 2017, at 9:14 PM, li...@lazygranch.com wrote:
> > 
> > http://researchscan288.eecs.umich.edu/
> > I never could find the research IP space and my email went
> > unanswered. I just blocked the whole university. Link has the IP
> > space as listed below:
> > 141.212.121.0/24 
> > 141.212.122.0/24  
> 
> Seems rather an overreaction. So a few bots scan your system now and
> then, for socially beneficial research purposes[1].  Does it really
> make sense to block an entire university to try to avoid this?
> 

I'm in agreement with you regarding blocking an entire university, but
I couldn't get a reply regarding the research IP space, nor could I
find the IP space online until today. 

Email, being the means of resetting passwords, gets extra scrutiny by
me. Now that I have the research IP space, I have removed the full
block. 

Interesting commentary:
https://www.hackerfactor.com/blog/index.php?url=archives/775-Scans-and-Attacks.html

The problem is the researchers look like hackers. For web "research",
they may provide an address to contact them in the browser meta data.
Maybe they are researchers, and maybe not. 

I allow a fair number of bots to poke the server, even if they appear
dubious. One claims to research uptime, but if you ping me once a day,
I don't think that is much of a study. I have a gut feeling many of
these research bots are really zombies. The student has graduated and
the account never canceled. I'm sure you've heard the story (perhaps
legend) of the university sysadmin mapping the network and finding some
server tucked away in a closet that they had no idea was there.

Re: PSA University of Michigan research IP space

2017-12-07 Thread Viktor Dukhovni 


> On Dec 7, 2017, at 9:14 PM, li...@lazygranch.com wrote:
> 
> http://researchscan288.eecs.umich.edu/
> I never could find the research IP space and my email went unanswered.
> I just blocked the whole university. Link has the IP space as listed
> below:
> 141.212.121.0/24 
> 141.212.122.0/24

Seems rather an overreaction. So a few bots scan your system now and then,
for socially beneficial research purposes[1].  Does it really make sense
to block an entire university to try to avoid this?

-- 
Viktor.

[1] Full disclosure, I perform DANE/DNSSEC adoption scans of as many
DNSSEC-validated domains I can find, currently ~5.1 million, making
connections to MX hosts that publish secure TLSA records (~4 thousand
MX hosts, covering ~174 thousand domains).  Domain owners whose TLSA
records don't match reality are notified of any problems. Generally,
postmasters seem pleased to be notified and given the opportunity to
fix the problem in a timely manner. So I have some empathy for the
Michigan team, who are also by the way one of the sources from which
I gather domain names.

If some of you have deployed DANE TLSA records, but feel strongly
that I should exclude your domains from automated scans, please
drop me a note and I'll add your domains to my "ignore" list.

PSA University of Michigan research IP space

2017-12-07 Thread li...@lazygranch.com 
http://researchscan288.eecs.umich.edu/
I never could find the research IP space and my email went unanswered.
I just blocked the whole university. Link has the IP space as listed
below:
141.212.121.0/24 
141.212.122.0/24