Hello and welcome to the Friday, February 23rd, 2004 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Rachel Downs, one of our Sands.edu interns, has contributed a real nice diary today looking at a good range of data

probing for TCP port 502.

TCP port 502 is used for modbus and modbus is an industrial control system protocol.

Now, she did detect quite a bit of activity

here, but then looked closer at where does the activity actually come from. And to her surprise,

she found that 89% of the scans originated from researchers.

There were more than a dozen different research groups,

I think about two dozen different research groups,

that did scan her honeypot for Port 502 TCP.

This is something that we have talked about before. I've sometimes seen sort of the

overall scan rate of like 30% just originating from these researchers. A couple problems

with some of these researchers. First of all, they're not always easy identifiable as researchers.

Also, not always clear who's actually behind the research,

like what company, what organization or so is behind it. And then some of them do not have

a clear way to opt out of their scans. Putting aside some of the ethical questions about

scanning the internet without really asking for permission,

it should be sort of a minimum requirement that you at least offer some form to opt out

and that you clearly identify who the scan originates from.

And you probably already heard from the regular news that, well, Thursday

morning, AT&T had a major outage, if not taking down their entire wireless network, at least

...