[Dshield] ISPs - How much monitoring is enough?
brad.madison at mail.tds.net
Sat Jan 17 19:14:07 GMT 2004
At 12:22 PM 1/17/2004 -0500, you wrote:
>- they can only sniff traffic if it is directly related to security.
> I am not sure what the limits are, but for example an IDS with tuned
> signatures falls into the permitted category
>- Once a file is stored on their servers, they can not read it. Even
> if for some reason they find a file indicating possible illegal
> activity, they are not permitted to just hand it over to law
What I advocate is watching the IP and port numbers of packets - not the
packets themselves, not the content. Honeypots are different: there I trap
everything. It's traffic willingly sent to my computer. I don't run a
distribution service for spam, the packets, to me, aren't
"communication" - they are abuse. I don't advertise the IP as being an
open relay of open proxy, I simply have software that listens on the
appropriate ports and archives whatever is sent to them. For some incoming
email I do deliver it. Isn't that exactly what the sender wanted - or did
he want me to deliver it only if I'd also follow through and deliver
thousands more? What if the standard port assignments were changed. For
instance, port 25 could be for SMTP or for SMTP honeypots - as a
standard. Then what?
Recently there was a federal employee - with the FTC, I think, maybe the
FCC - who issued warnings about using honeypots. As I recall the warning
was for full Honeynet-type honeypots and specifically was that perhaps an
abuser could overcome the honeypot protections and use the system to commit
abuse elsewhere, with the honeypot operator being held liable for civil
damages. As best as I recall that was his only objection. Some proxypots
do simulate the SMTP traffic that the abuser is trying to feed through an
open proxy by actually contacting the remote server and doing the dialog -
except not the data portion, and at the end an RSET is done before
quitting. Maybe in theory one could say that was abuse - but if that's
abuse then the full spamming done that way is a greater abuse - and nobody
yet sues over that, as abuse.
It does get tricky. If I were an ISP and found an IP in my space sending
packets to port 1080 all over the world - to me obviously a sign of abuse -
what could I do?
If I were an ISP and saw incoming packets to port 1080, what can I do? Can
I legally contact the ISP from which the packets come and notify it?
If I'm an ISP and see port 25 packets going out all over the world from an
IP in my space can I look at the source of packets going to that IP (on the
theory that perhaps it is a compromised system)? Can I then report the IP
that is the source (if I se one) to the ISP responsible?
If I were an ISP could I examine outgoing packets to see if the source IP
in those packets corresponds to an IP in my space? Can I match source IPs
with MAC addresses? Can I verify that the MAC address I see is still on
the same port where it first appeared?
If I were an ISP could I selectively block any of the traffic of the type
What types of legal problem is anticipated - civil or criminal? For civil
law an ISP is indemnified for actions taken to prevent offensive material -
not that I anticipate many spammers and crackers filing suit. (47 USC 230.)
If I set up a honeypot and put what amounts to a non-standard service on a
port am I entitled to look at the packets that come in? Is there a law or
principle of law that says if I look like an open relay or open proxy I
must be one? If I look like a vulnerable system do I have to let someone
exploit it and install their own software?
I tacitly assume that all the answers to these questions favor doing what I
advocate - but I can't prove they do.
Even if the answers do favor what I advocate - is that a good thing, or
would it be better for the law to be so specific and so strict that the ISP
plain could not look at the traffic on its own network? (I can imagine
some feeling strict regulation - and I'd be willing to listen to their
arguments. I don't want a "big brother"/1984 government and it's not a
whole lot better to have a "big brother" ISP.) Surely the ISP could
restrict the ports that can be contacted - is that the sole remedy? Could
it restrict ports and have a procedure through which a customer could apply
for permission to send packets out on a specific port, swearing that it
will not commit any abuse with those packets?
Everything I do and advocate has a security focus - there's no subterfuge
of hiding something else as a security measure. Does that make it all OK?
More information about the list