In message <[email protected]>, Jo Rhett <[email protected]> wrote:
>> If I have a web server that's configured to serve up pages for 1,000 >> different web sites, and I get a DMCA complaint about one in particular, >> I can disable that one alone. > >And if you have 1,000 customers using the same source IP (A) how do you >identify which customer is causing abuse complaints with outbound >sessions Well, lemme see here. (Abuse is actually something that I do know a bit about, so I think that I may be able to address this, perhaps even to your satisfaction.) Before I can answer the question, I need some information: Are you allowing all of these 1,000 client people to access a shell prompt and/or run their own arbitrary binaries on the specific machine to which you have assigned the single IP address in question? If so, then yea, you will likely be hard-pressed to figure out which one of those 1,000 suspect persons is the actual miscrant. (But in this case, adequate logs may actually help.) This is sort of a good argument to not sell shell accounts to people that you have no real basis to trust, or if you do, to give each one its own unique IP address. But the IP addresses that you dole out to such folks could be IPv6, and most of the people you are likely to come across that just want a shell someplace will likely be OK with that. They don't really need an IPv4 address unless they plan to run a server of some sort, and you can make special accomodations for those few. Most can get IPv6. For abusive behavior that (somehow) arises from the activities of people who DO NOT have shell acounts and who DO NOT have the ability to run arbitrary binaries on your hardware, I can't give you a general answer. You would have to give me at leat some vague hint or clue as to how such "abuse" might arise in such a context. Then I could answer. But as it stands, the question is rather amorphous. It's like asking how you can prevent anything bad from happenig to you when and if you walk into a dark alley on a moonless night. I can't provide a general answer. You might be attacked by a crazed dentist who might try to give you an impromptu root canal. In that case my advice would be clear: If at all posible, keep your mouth shut. :-) >and (B) just one could cause outages for the others by >consuming all the ports by a badly written script/plugin or deliberate >abuse. It's an interesting point, and one that I'll have to resarch. I use FreeDSD, when I can, and on that, at least, there are quite a lot of options available to the sysadmin for limiting resource usage, e.g. per- user limits on memory usage, and various kinds thereof (e.g. swap, stack, etc.). What you've just asked about is just another rather obvious way that one user could hog resources at the expense of all others, and I would hope that FreeBSD, at least, would provide some way that root could place per-user limits on maximum port usage, you know, in oredr to avoid exactly such situations. But maybe not. I'll have to look into it. I do believe that FreeBSD supports per-user limits of number of sockets, and that may effectively and in practice work out to the same thing. Certainly if you have rambunctious college students that you are allowing to have shell accounts on your servers, then you had best first be sure that your OS is capable of limiting any damage they can do (and specifically any and all trivial resource exhaustion ploys). But I think that's an almost entirely orthoginal question to the question of how you distribute or use your IPv4 addresses. (And by the way, one of the first programs that I ever wrote simply recursed on itself, ad infinitum. I can't clearly recall anymore, but I do believe that RSTS/E was able to survive that however.) >Finally, there are a number of poorly written laws that require that >unique IPs be given to each customer. WHOA! Really?? I'd *really* like to have a look at THOSE! Can you provide citations? I had no idea that any legislators anywhere on earth had gotten this deep into trying to micro-manage the Internet. (Not that I wouldn't put it past them to try!) >Whether or not the technology >could support it, the legal framework a business has to operate in may not. Well, I agree that that is certainly a whole separate kettle of fish, if indeed there are any such laws (e.g. requiring one IP address per user). I ernestly would like to have a look at those, if you can point me at them. Mostly, I'd just like to see how they define the term "user"... as in the thing to which a unique IP address must be assigned. But it would also be facinating to see how they define the term "IP address". Would an IPv6 address fit the bill? If so, then problem solved, right? >> Is this not self-evident? > >It is not. And again, you are being insulting to people based on your >own ignorance and in this case a fairly basic misunderstanding of how IP >works. I fail to see how anything I have said could be even remotely misconstrued as being in any way insulting. But as I have also said, if there is some consensus on that point, I'll act accordingly, and apologize if warranted. Regards, rfg _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
