[Dshield] Question on appropriate university research

Shaun shaun at shaunc.com
Wed Sep 19 03:48:09 GMT 2007

On Mon, 17 Sep 2007 21:38:54 -0400
Tom <dshield at oitc.com> wrote:

> Now, this "SSH scanning" project looks just like a bot net searching 
> for hosts to attack later from my machines viewpoint.

>From what I gather, a grad student has launched some research project to
scan the internet at large compiling stats on who's running what version
of sshd, what sort of authlevel they allow, whether they're open to
passwords or whether they're set up for key-only, etc. Nothing requires
you to participate in this study. So block the bastard. :)
> Don't you think that this is at best ill advised without contacting 
> the IP block owners? Further what they're trying to sample is not 
> what they are sampling but thats another story.

As far as I'm concerned, having a machine scanned is a natural
consequence of giving it a link. If you'd have posed this question five
short years ago my response would have been radically different. Times
have changed and so have my priorities; maybe I'm just growing more

Academic validity of the research aside, I don't have any ethical
problem with the idea of probing random hosts. And yes, that includes
military hosts. You make valid critiques of the grad student's sample
population, but the act of purposefully excluding DOD netblocks would
have introduced its own skew and bias.

Bruteforce attempts against sshd are a dime a dozen now, and I don't pay
them any attention unless they're trying to crack a valid login. As Tony
said, there's a big difference between probing and trying to exploit
something that the probe has revealed. An attack is an attack, and can
be dealt with as needed during or afterwards; a probe is just someone
checking my oil.


More information about the list mailing list