Date: Fri, 6 Aug 2004 14:09:01 -0400 (EDT)
From: John K Lerchey <lerchey@andrew.cmu.edu>
To: nanog@merit.edu
Subject: Research - Valid Data Gathering vs Annoying OthersHi NANOG folks,
We have a situation (which has come up in the past) that I'd like some
opinions on.
[[.. $ mount /dev/soapbox # you have been warned. ..]]
Periodically, we have researchers who develop projects which will do
things like randomly port probe off-campus addresses. The most recent
instance of this is a group studying "bottlenecks" on the internet. Thus,
they hit hosts (again, semi-randomly) on both the commodity internet and
on I2 (abeline) to look for places where there is "traffic congestion".The problem is that many of their "random targets" consider the probes to
be either malicious in nature, or outright attacks.
Why not? "Their network, *THEIR* rules."
*HOW* is one supposed to tell a 'benign' probe from a 'hostile' one,
when it is addressed to a machine that doesn't exist, or to a 'service'
that doesn't exist on an existant machine?
With all the 'overtly hostile' traffic out there, why on earth would anyone
consider that, with regard to 'unexpected'/'abnormal' traffic, there should
be _any_ 'expectation of innocence'?
Surely you don't think that the 'recipient' needs to do a _complete_analysis_
of "what was being attempted, and why" -- including making a determination of
the 'intentions' of the perpetrator -- for -every- 'unauthorized' attempt
to use their network, before complaining about the fact of an attempt at
'unauthorized use'?
I have a very _simple_ rule -- if it isn't intended for a service I make
available, on a machine I let the world have access to, then it is, _by_
definition_, an attempt to access that machine 'without authorization, or
in excess of the authorization granted'. Because the -only- 'authorized
use is those things whiich I expressly let past my firewall. Ergo, if
the firewall blocks it, it _IS_ an 'unauthorized access' attempt.
Whereupon, 18 USC 1030 (b), becomes *very* relevant, given the language
of 18 USC (a) (2) (C). The minimum penalty is 'up to a year imprisonment'.
given any 'extenuating circumstances' and it could be up to 20 years.
On my _personal_ network, at home (a /29 -- big wow:), I currently see
well over FIFTEEN THOUSAND unauthorized probes per day. Of those, a
*maximum* of 1-in-four-thousand *might* "possibly" be legitimate.
I give people the 'benefit of the doubt', and assume that these probes
are coming from virus-infected (unbeknownst to the owner) machines, rather
than 'deliberate, with malice aforethought' hacking attempts by the machine's
owner.
HOWEVER, that notwithstanding, *EVERY*ONE* gets reported to the responsible
_network_operator_ -- as an 'apparent virus-infected machine on your network',
With the relevant supporting documentation, and a simple request that the
machine be disabled from external network access until it has been sterilized
and secured against further infection.
The reporting is mostly to help the other operators keep _their_ networks
clean. And to get those machines off-line -- so that they cannot infect
other 'unprotected' machines. I'm confident _my_ network is adequately
protected. <grin>
Note: I "don't care" _what_ the 'name' of the machine is -- I don't even
check for rDNS, I look up the registered netblock _owner_ of the IP address,
at the RIR. And THAT is where the complaint reports go.
As a result of this,
we, of course, get complaints.
Deservedly so.
One suggestion that I received fro a co-worker to help to mitigate this is
to have the researchers run the experiments off of a www host, and to have
the default page explain the experiment and also provide contact info.
People are supposed to 'take it on faith' that what the website _says_ about
what is going on _is_ what is *actually* happening?
I hope you don't mind if I laugh -- Computerized 'social engineering', in
an attempt to deflect complaints, _is_ a humorous concept.
Do you *really* think that anybody is going to bother to go look to see
_what_ the source system 'claims' is the reason it is doing what it is
doing?
If the traffic isn't a webserver _response_, then the fact that it comes
from a machine named 'www.{something}' just means that something *unrelated*
to the webserver is also running on that machine. And, therefore, no reason
to believe that the webserver at that (coincidentally same) address would
have any information whatsoever about the 'offensive' behavior observed.)
I wouldn't even know *IF* an 'offending' machine had such a name. I don't
do rDNS look-ups on any of the addresses I send complaints off about.
We also discussed having the researchers contact ISPs and other large
providers to see if they can get permission to use addresses in their
space as targets, and then providing the ISPs with info from the testing.
This is one of two _good_ approaches. "Get Permission. *FIRST*"
How do you view the issue of experiments that probe random sites? Should
this be accepted as "reasonable", or should it be disallowed? Something
in between?
"Private property is *private* property." The Internet consists
*exclusively* of private property. those who own the property get to
make the rules for -their- property. What 'everybody else' thinks are
'appropriate' rules is immaterial to how they run -their- property. (Well,
except that if 'everybody else' doesnt like the way you run your property,
they *are* free to choose to not let you visit _their_ property. 
If _I_ say that thus-and-such is an 'objectionable use' of *my* property,
nobody, but *nobody*, has any standing to contradict me.
Virtually _every_ AUP says that 'your' use of 'foreign' networks is subject
to what _they_ (the foreign netowrk operator) deems to be 'acceptable' use
of *their* network.
The fact that complaints _are_ being generated is *proof* that they do not
think that such is 'acceptable use'. And that, therefore, the perpetrators
(despite 'good intentions') *ARE*, in all liklihood, in violation of _their_
_own_ TOS/AUP.
What other suggestions might you have about how such experiments could be
run without triggering alarms?
That is *easy*. TRIVIALLY EASY. _rent_ a node on those foreign networks.
run probes _to_ the hosts *you* control. (This is the second good approach:
"Buy access.")
Voila! "No problem."
From a pure philosophical standpoint, 'random testing' is no different
than "spamming". Both rely on the use of "other people's resources",
*WITHOUT* the consent/permission of those other people, and covering the
costs of the resources involved.
Since the 'testee' is paying for fully half of the costs of the testing,
they must be consulted _in_advance_.
If you want to claim that the testing "isn't wrong" because it only costs
any testee an 'insignificant' amount, You better be prepared to accept
all the traffic from the spammers who use exactly the same 'defense'.
Executive summary:
Method of choice: "Get Permission. *FIRST*."
If that fails, try: "Buy Access."
If =that= fails, then "Don't Do it!"
