[Dshield] Question on appropriate university research
dshield at oitc.com
Wed Sep 19 01:06:05 GMT 2007
At 9:20 AM -0400 9/18/07, Paul Melson wrote:
> > Don't you think that this is at best ill advised without contacting the IP
>block owners? Further what they're
>> trying to sample is not what they are sampling but thats another story.
>Can you elaborate on this point?
What I was told is that they are scan to determine stats on ssh,
login types, and how often authentication is updated (to do this they
do repeat scans).
Well, to me they are measuring a population they can't characterize
for statistical purposes and there stats will inherently be suspect.
1st they know nothing about the distribution of machines on the /8
2nd with many various groups sharing of attacks and subscribers
updating their firewalls, they have no idea if they're unable to
connect is because of firewall updates or because the machine isn't
3rd many admins have moved their SSH port to other ports just to keep
SSH portscan bot traffic away so lack of connect does not say
anything about whether SSH is being used.
4th we and many others have SSH honeypots to identify attacking IPs
and scanning these not only pollute their stats but also cause them
to be blackholed by many.
5th when I complained to CMU the "researcher" immediately stated he
would remove our IPs (I am still waiting) from his scan and his data
base which would seem to remove from the statistical calculations
those host owners that actually monitor and worry about their systems
security which seemingly will skew their analysis to to dumber.
I guess I could go on but it seems to me an academic effort to make
SSH more secure for the masses doesn't need to scan the internet to
proceed and . Further, its awfully dumbing down a PhD if a PhD
candidate has to oly run a scan as described above and gen some stats
for a PhD.
Just my 2cents.
More information about the list