if i typo and enter your ip in my browser, thats illegal?
theres no way to tell the intentions of a received packet.. is it research, is
it hostile, is it an infected machine, is it an error
whilst its prudent to assume that anything received unexpectedly is malicious,
that doesnt necessarily follow that you should do anything more with it than
discard it.. you should obtain more data before deciding to take action
and whilst you may not like the research community carrying out unauthorized
probes it is these guys who made and maintain the internets systems, you should
cut them some slack in the name of research!
Steve
On Fri, 6 Aug 2004, Robert Bonomi wrote:
To: [EMAIL PROTECTED]
Subject: Re: Research - Valid Data Gathering vs Annoying Others
Date: Fri, 6 Aug 2004 14:09:01 -0400 (EDT)
From: John K Lerchey [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Research - Valid Data Gathering vs Annoying Others
Hi NANOG folks,
We have a situation (which has come up in the past) that I'd like some
opinions on.
[[.. $ mount /dev/soapbox # you have been warned. ..]]
Periodically, we have researchers who develop projects which will do
things like randomly port probe off-campus addresses. The most recent
instance of this is a group studying bottlenecks on the internet. Thus,
they hit hosts (again, semi-randomly) on both the commodity internet and
on I2 (abeline) to look for places where there is traffic congestion.
The problem is that many of their random targets consider the probes to
be either malicious in nature, or outright attacks.
Why not? Their network, *THEIR* rules.
*HOW* is one supposed to tell a 'benign' probe from a 'hostile' one,
when it is addressed to a machine that doesn't exist, or to a 'service'
that doesn't exist on an existant machine?
With all the 'overtly hostile' traffic out there, why on earth would anyone
consider that, with regard to 'unexpected'/'abnormal' traffic, there should
be _any_ 'expectation of innocence'?
Surely you don't think that the 'recipient' needs to do a _complete_analysis_
of what was being attempted, and why -- including making a determination of
the 'intentions' of the perpetrator -- for -every- 'unauthorized' attempt
to use their network, before complaining about the fact of an attempt at
'unauthorized use'?
I have a very _simple_ rule -- if it isn't intended for a service I make
available, on a machine I let the world have access to, then it is, _by_
definition_, an attempt to access that machine 'without authorization, or
in excess of the authorization granted'. Because the -only- 'authorized
use is those things whiich I expressly let past my firewall. Ergo, if
the firewall blocks it, it _IS_ an 'unauthorized access' attempt.
Whereupon, 18 USC 1030 (b), becomes *very* relevant, given the language
of 18 USC (a) (2) (C). The minimum penalty is 'up to a year imprisonment'.
given any 'extenuating circumstances' and it could be up to 20 years.
On my _personal_ network, at home (a /29 -- big wow:), I currently see
well over FIFTEEN THOUSAND unauthorized probes per day. Of those, a
*maximum* of 1-in-four-thousand *might* possibly be legitimate.
I give people the 'benefit of the doubt', and assume that these probes
are coming from virus-infected (unbeknownst to the owner) machines, rather
than 'deliberate, with malice aforethought' hacking attempts by the machine's
owner.
HOWEVER, that notwithstanding, *EVERY*ONE* gets reported to the responsible
_network_operator_ -- as an 'apparent virus-infected machine on your network',
With the relevant supporting documentation, and a simple request that the
machine be disabled from external network access until it has been sterilized
and secured against further infection.
The reporting is mostly to help the other operators keep _their_ networks
clean. And to get those machines off-line -- so that they cannot infect
other 'unprotected' machines. I'm confident _my_ network is adequately
protected. grin
Note: I don't care _what_ the 'name' of the machine is -- I don't even
check for rDNS, I look up the registered netblock _owner_ of the IP address,
at the RIR. And THAT is where the complaint reports go.
As a result of this,
we, of course, get complaints.
Deservedly so.
One suggestion that I received fro a co-worker to help to mitigate this is
to have the researchers run the experiments off of a www host, and to have
the default page explain the experiment and also provide contact info.
People are supposed to 'take it on faith' that what the website _says_ about
what is going on _is_ what is *actually* happening?
I hope you don't mind if I laugh -- Computerized 'social engineering', in
an attempt to deflect complaints, _is_ a humorous concept.
Do you *really* think that anybody is going to bother to go