Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
cobertos 4 hours ago

> However, in the context of data from Terrace and others we believe a more likely factor is the vantage point itself. Internet scanning often consists of large campaigns coordinated by specific actors,

How does one do a measurement of traffic like this? You would have to own the nodes in the packet route to be able to see traffic, but TerraceNetworks or GreyNoise don't seem to be companies that do that. How do they get the data to analyze?

signalblur 4 hours ago | parent | next [-]

Greynoise and others have shell companies and spin up exposed infra specifically to pick up scanning activity.

They have them all over the world to get attackers scanning only certain regions etc.

I should also note - I’m extremely skeptical of the OPs claims or inference that the attackers have potentially fingerprinted greynoises sensors. To suggest this while some traffic increased from specific ASN’s seems unlikely that this was the case.

If it’s not clear - this was written by a competitor of theirs.

RupertSalt 3 hours ago | parent | next [-]

If you want a disinterested perspective from the Research & Education community, look to CAIDA, the Center for Applied Internet Data Analysis: https://www.caida.org/

Also I just found "Hawkeye" the author of TinyFugue, Ken Keys, employed here! Cool beans!

ericpauley 3 hours ago | parent [-]

CAIDA is doubtless a gold standard. One thing to note, however, is that the same vantage point avoidance issue applies even more to publicly-documented vantage points. In fact, it was concerns specifically about adversarial avoidance of academic telescopes that led to our research at UW-Madison and eventually to Terrace.

When looking at telescope data like CAIDA’s UCSD-NT, it’s also important to remember that source IPs can be spoofed absent a valid handshake, something that both our and GreyNoise’s analysis accounts for.

ericpauley 4 hours ago | parent | prev [-]

We cannot know for certain what the root cause is. However, honeypot fingerprinting is a well-known risk for any vantage point, particularly a high-profile one.

ericpauley 4 hours ago | parent | prev [-]

This is a very challenging problem, especially if you don’t want to be over-concentrated on specific threat actors (as we suspect has happened here).