[Dshield] ISPs - How much monitoring is enough?

Brad Spencer brad.madison at mail.tds.net
Sat Jan 17 19:14:07 GMT 2004

At 12:22 PM 1/17/2004 -0500, you wrote:

>- they can only sniff traffic if it is directly related to security.
>   I am not sure what the limits are, but for example an IDS with tuned
>   signatures falls into the permitted category
>- Once a file is stored on their servers, they can not read it. Even
>   if for some reason they find a file indicating possible illegal
>   activity, they are not permitted to just hand it over to law
>   enforcement.

What I advocate is watching the IP and port numbers of packets - not the 
packets themselves, not the content.  Honeypots are different: there I trap 
everything.  It's traffic willingly sent to my computer.  I don't run a 
distribution service for spam, the packets, to me, aren't 
"communication"  - they are abuse.  I don't advertise the IP as being an 
open relay of open proxy, I simply have software that listens on the 
appropriate ports and archives whatever is sent to them.  For some incoming 
email I do deliver it.  Isn't that exactly what the sender wanted - or did 
he want me to deliver it only if I'd also follow through and deliver 
thousands more?  What if the standard port assignments were changed.  For 
instance, port 25 could be for SMTP or for SMTP honeypots - as a 
standard.  Then what?

Recently there was a federal employee - with the FTC, I think, maybe the 
FCC - who issued warnings about using honeypots.  As I recall the warning 
was for full Honeynet-type honeypots and specifically was that perhaps an 
abuser could overcome the honeypot protections and use the system to commit 
abuse elsewhere, with the honeypot operator being held liable for civil 
damages.  As best as I recall that was his only objection.  Some proxypots 
do simulate the SMTP traffic that the abuser is trying to feed through an 
open proxy by actually contacting the remote server and doing the dialog - 
except not the data portion, and at the end an RSET is done before 
quitting.  Maybe in theory one could say that was abuse - but if that's 
abuse then the full spamming done that way is a greater abuse - and nobody 
yet sues over that, as abuse.

It does get tricky.  If I were an ISP and found an IP in my space sending 
packets to port 1080 all over the world - to me obviously a sign of abuse - 
what could I do?

If I were an ISP and saw incoming packets to port 1080, what can I do?  Can 
I legally contact the ISP from which the packets come and notify it?

If I'm an ISP and see port 25 packets going out all over the world from an 
IP in my space can I look at the source of packets going to that IP (on the 
theory that perhaps it is a compromised system)? Can I then report the IP 
that is the source (if I se one) to the ISP responsible?

If I were an ISP could I examine outgoing packets to see if the source IP 
in those packets corresponds to an IP in my space?  Can I match source IPs 
with MAC addresses?  Can I verify that the MAC address I see is still on 
the same port where it first appeared?

If I were an ISP could I selectively block any of the traffic of the type 
I've mentioned?

What types of legal problem is anticipated -  civil or criminal?  For civil 
law an ISP is indemnified for actions taken to prevent offensive material - 
not that I anticipate many spammers and crackers filing suit.  (47 USC 230.)

If I set up a honeypot and put what amounts to a non-standard service on a 
port am I entitled to look at the packets that come in?  Is there a law or 
principle of law that says if I look like an open relay or open proxy I 
must be one?  If I look like a vulnerable system do I have to let someone 
exploit it and install their own software?

I tacitly assume that all the answers to these questions favor doing what I 
advocate - but I can't prove they do.

Even if the answers do favor what I advocate - is that a good thing, or 
would it be better for the law to be so specific and so strict that the ISP 
plain could not look at the traffic on its own network?  (I can imagine 
some feeling strict regulation - and I'd be willing to listen to their 
arguments.  I don't want a "big brother"/1984 government and it's not a 
whole lot better to have a "big brother" ISP.)  Surely the ISP could 
restrict the ports that can be contacted - is that the sole remedy?  Could 
it restrict ports and have a procedure through which a customer could apply 
for permission to send packets out on a specific port, swearing that it 
will not commit any abuse with those packets?

Everything I do and advocate has a security focus - there's no subterfuge 
of hiding something else as a security measure.  Does that make it all OK?

More information about the list mailing list