I’m home. I wrote this on the train, but the Amtrak WiFi wasn’t working when I went to post. Later, I saw that someone had had pretty much the same take I had about the lack of IPv6….
The last presentation prior to the closing was a bit hard to take. They (and Squidly1) insist they’re the good guys, and network admins shouldn’t take steps to stop their active probes.
Maybe I’d feel differently if the probes were passive, but these aren’t. (Coming from Punk Spider.) To me, you’d be a fool to let them continue to scan your network with impunity.
Yes, the Koreans they’re scanning might well be idiots. It doesn’t make the intrusion okay!
It’s things like this that make me wish iptables or pf had a –reject-with-diaf-blast flag. For some, –with-tcp-reset isn’t sufficient.
1. They’re treading on thin ice with their active probes. If they were using passive sniffing, it’d be one thing, trying to scan the entre Internet is another matter, altogether.
2. But they’re not scanning the entire Internet! IPv4 is a deprecated legacy protocol. If they were doing any sort of v6 scanning, things might be slightly more intriguing. Over at Users and Icecube, we’ve been getting scanned normally a couple of times a week over v6. I’m pretty certain nothing’s come of it. Obviously Cawcks doesn’t give us a native allocation, so we’re using a tunnel broker, but it’d likely be the same with a native connection.
But even with the biggest AWS node the world’s ever imagined, they wouldn’t have the horsepoer to scan the entire Internet over v6. And more and more of the backbone traffic actually is going that way. Maybe you can stay ignorant of that fact, but it doesn’t take much research to verify.
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by users.757.org (Postfix) with ESMTPS id 7C795A9B6
Received: by mail.netbsd.org (Postfix, from userid 605)
id 0E08A14A12D; Thu, 2 Jan 2014 08:48:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by mail.netbsd.org (Postfix) with ESMTP id A6E4114A12A
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1])
by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025)
with ESMTP id 9RaUQzm2pzs7 for
Thu, 2 Jan 2014 08:48:45 +0000 (UTC)
Received: from korriban.imil.net (korriban.imil.net [IPv6:2001:470:cbba::3])
So, that was Shmoocon. More than willing to discuss over a beer if someone is interested.