I wonder how often the reverse happens, i.e. admins sending angry emails to their own users who appear to be scanning other people's networks.
Anecdote: when I was a grad student at AS88, I once got an email asking me to stop port scanning. I was confused because I wasn't port scanning anyone. I asked for details and an admin sent me a report generated by some seemingly off-the-shelf network admin software (forgot the brand), with a bar chart of all IP addresses I was frequenting -- rather creepy, honestly. Turns out I was renting ~20 servers around the world as PoPs for a personal project at that time, and regularly deploying code to all of them at once over SSH (all configured at port 22). Apparently regularly accessing ~20 servers at once over a single port was enough to be flagged as "port scanning". I wonder if people doing actual security research over at the CS department were exempt from nonsense like this.
Anecdote: when I was a grad student at AS88, I once got an email asking me to stop port scanning. I was confused because I wasn't port scanning anyone. I asked for details and an admin sent me a report generated by some seemingly off-the-shelf network admin software (forgot the brand), with a bar chart of all IP addresses I was frequenting -- rather creepy, honestly. Turns out I was renting ~20 servers around the world as PoPs for a personal project at that time, and regularly deploying code to all of them at once over SSH (all configured at port 22). Apparently regularly accessing ~20 servers at once over a single port was enough to be flagged as "port scanning". I wonder if people doing actual security research over at the CS department were exempt from nonsense like this.