Hello and welcome to the Thursday, December 7, 2020, edition of the Sansonet Stormontas Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Jan today wrote a big diary about an interesting new RFC that was just released last week, RFC-911, and it deals with a problem that I've mentioned a few times

and we have data for on the United Storm Center website and that's researchers scanning the internet.

I think we have now something like 30 groups that we are tracking based on our data because

they often show up as some of the top attackers.

And the problem, of course, is that these researchers themselves create quite a bit of sort

of background noise.

And it's often important to figure out if a particular scan that you're seeing in your network is just some researchers,

so you may just want to block them, or something more malicious, or maybe even some false positives or such.

Well, RFC 9511 suggests that a web server on the IP address doing the probing is providing essentially

a little file in the well-known directory called probing.text that provides additional information

about the origin of these scans. It would be interesting to see if this takes off. There is, of course,

a risk that bad guys will claim that they're researchers, but they already do that to some

extent. There's nothing to prevent an attacker from just setting up a webpage on a scanning IP.

I'm claiming that this is part of a research organization.

I think where this will really help is it will give you a little bit more background as to who is actually behind the scan.

And then you can check that particular organization's webpage, for example, to cooperate the information that is provided via that probing.

Text file.

Interesting approach.

We'll see if it takes off, but I would suggest if you're planning to scan the Internet for something,

well, check if someone is already doing that and just share data with them.

...