If you want to identify which peering links are sending you spoofed DDoS
amplification request traffic and which (Shadowserver identified) IPs in your
network the traffic is going to, please take a look at my Tattle Tale project:
https://github.com/racompton/tattle-tale
Identify which peers are sending you the spoofed UDP amplification traffic and
"encourage" them to follow BCP 38/84!
The project has this file to identify legitimate scanning traffic:
https://github.com/racompton/tattle-tale/blob/main/logstash/conf.d/81-filter-scanners.conf
-Rich
On 6/28/21, 1:29 PM, "NANOG on behalf of Jean St-Laurent via NANOG"
<nanog-bounces+rich.compton=charter....@nanog.org on behalf of nanog@nanog.org>
wrote:
CAUTION: The e-mail below is from an external source. Please exercise
caution before opening attachments, clicking links, or following guidance.
Great list.
ShadowServer is there twice on page 7. They must be noisy 😉
Jean
-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest...@nanog.org> On Behalf Of Hank
Nussbacher
Sent: June 28, 2021 2:50 PM
To: nanog@nanog.org
Subject: Re: shadowserver.org
> What is the difference between shodan.io and shadowserver.org ? Jean
Just those 2? Greynoise maps them all. See an old preso from 2018:
https://www.slideshare.net/andrewwantsyou/identifying-and-correlating-internetwide-scan-traffic-to-newsworthy-security-events
See slide 7 for a 4 year old list which has only grown :-)
-Hank
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for
the addressee(s) and may contain confidential and/or legally privileged
information. If you are not the intended recipient of this message or if this
message has been addressed to you in error, please immediately alert the sender
by reply e-mail and then delete this message and any attachments. If you are
not the intended recipient, you are notified that any use, dissemination,
distribution, copying, or storage of this message or any attachment is strictly
prohibited.
