[Dshield] Re: list Digest, Vol 13, Issue 25

Kenneth Coney superc at visuallink.com
Sun Jan 18 17:16:30 GMT 2004


Using the landlord analogy makes it easy to answer your questions.  Think 
of the IP as being the owner of a large apartment house with people coming 
and going all the time.

"If I were an ISP and saw incoming packets to port 1080, what can I do? 
Can I legally contact the ISP from which the packets come and notify it?"

Regardless of your decision there, you can certainly contact your tenant, 
client, and alert them, maybe ask them if they know of a reason for the 
traffic.  Who knows, they might give permission for you to look further 
into it.

"If I'm an ISP and see port 25 packets going out all over the world from an 
IP in my space can I look at the source of packets going to that IP (on the 
theory that perhaps it is a compromised system)? Can I then report the IP 
that is the source (if I se one) to the ISP responsible?"

Wrong direction.  The originating IP is in your space.  Do you have 
incoming abuse reports related to the packets?  Fix it on your end.  Call 
the client owner and ask him why.

Are you running open relays?  Why?  Where is the profit in that?

This is a lot like owning an apartment building in a major city and 
becoming aware some of your tenants are doing illegal things and some of 
their visitors are there to harm other tenants.  The situation does 
sometimes get confrontational.  You knew that when you became a landlord. 
That's why landlords get gun permits.  The first thing you should be doing 
is contacting your clients/tenants and obtaining permissions.  An "all 
visitors must sign in" approach might be warranted.  Some clients will 
leave rather than give permissions.  That's okay.  Others will replace 
them.  Put what you need in the papers they sign.  When you run an 
apartment house, some tenants will move out rather than have their visitors 
sign in and present identification.  You are probably better off without 
them and you are certainly better off without their unknown visitors.  Seek 
an approval for a mail watch before logging incoming traffic to specific 
IPs in your domain.

You own the space.  You own the machines.  Make and publish your rules and 
only take on  clients (tenants) who agree.  What's the problem with that?


Subject: Re: [Dshield] ISPs - How much monitoring is enough?
From: Brad Spencer <brad.madison at mail.tds.net>
Date: Sat, 17 Jan 2004 13:14:07 -0600
To: General DShield Discussion List <list at dshield.org>

At 12:22 PM 1/17/2004 -0500, you wrote:

 > - they can only sniff traffic if it is directly related to security.
 >   I am not sure what the limits are, but for example an IDS with tuned
 >   signatures falls into the permitted category
 > - Once a file is stored on their servers, they can not read it. Even
 >   if for some reason they find a file indicating possible illegal
 >   activity, they are not permitted to just hand it over to law
 >   enforcement.


What I advocate is watching the IP and port numbers of packets - not the 
packets themselves, not the content.  Honeypots are different: there I trap 
everything.  It's traffic willingly sent to my computer.  I don't run a 
distribution service for spam, the packets, to me, aren't "communication" 
- they are abuse.  I don't advertise the IP as being an open relay of open 
proxy, I simply have software that listens on the appropriate ports and 
archives whatever is sent to them.  For some incoming email I do deliver 
it.  Isn't that exactly what the sender wanted - or did he want me to 
deliver it only if I'd also follow through and deliver thousands more? 
What if the standard port assignments were changed.  For instance, port 25 
could be for SMTP or for SMTP honeypots - as a standard.  Then what?

Recently there was a federal employee - with the FTC, I think, maybe the 
FCC - who issued warnings about using honeypots.  As I recall the warning 
was for full Honeynet-type honeypots and specifically was that perhaps an 
abuser could overcome the honeypot protections and use the system to commit 
abuse elsewhere, with the honeypot operator being held liable for civil 
damages.  As best as I recall that was his only objection.  Some proxypots 
do simulate the SMTP traffic that the abuser is trying to feed through an 
open proxy by actually contacting the remote server and doing the dialog - 
except not the data portion, and at the end an RSET is done before 
quitting.  Maybe in theory one could say that was abuse - but if that's 
abuse then the full spamming done that way is a greater abuse - and nobody 
yet sues over that, as abuse.

It does get tricky.  If I were an ISP and found an IP in my space sending 
packets to port 1080 all over the world - to me obviously a sign of abuse - 
what could I do?

If I were an ISP and saw incoming packets to port 1080, what can I do?  Can 
I legally contact the ISP from which the packets come and notify it?

If I'm an ISP and see port 25 packets going out all over the world from an 
IP in my space can I look at the source of packets going to that IP (on the 
theory that perhaps it is a compromised system)? Can I then report the IP 
that is the source (if I se one) to the ISP responsible?

If I were an ISP could I examine outgoing packets to see if the source IP 
in those packets corresponds to an IP in my space?  Can I match source IPs 
with MAC addresses?  Can I verify that the MAC address I see is still on 
the same port where it first appeared?

If I were an ISP could I selectively block any of the traffic of the type 
I've mentioned?

What types of legal problem is anticipated -  civil or criminal?  For civil 
law an ISP is indemnified for actions taken to prevent offensive material - 
not that I anticipate many spammers and crackers filing suit.  (47 USC 230.)

If I set up a honeypot and put what amounts to a non-standard service on a 
port am I entitled to look at the packets that come in?  Is there a law or 
principle of law that says if I look like an open relay or open proxy I 
must be one?  If I look like a vulnerable system do I have to let someone 
exploit it and install their own software?

I tacitly assume that all the answers to these questions favor doing what I 
advocate - but I can't prove they do.

Even if the answers do favor what I advocate - is that a good thing, or 
would it be better for the law to be so specific and so strict that the ISP 
plain could not look at the traffic on its own network?  (I can imagine 
some feeling strict regulation - and I'd be willing to listen to their 
arguments.  I don't want a "big brother"/1984 government and it's not a 
whole lot better to have a "big brother" ISP.)  Surely the ISP could 
restrict the ports that can be contacted - is that the sole remedy?  Could 
it restrict ports and have a procedure through which a customer could apply 
for permission to send packets out on a specific port, swearing that it 
will not commit any abuse with those packets?

Everything I do and advocate has a security focus - there's no subterfuge 
of hiding something else as a security measure.  Does that make it all OK?





More information about the list mailing list