Valdis.Kletnieks@vt.edu wrote:
On Tue, 15 Feb 2000 16:03:49 EST, Steve Sobol said:
<IANAL> The blocking issue is BS. Make the customers... all customers, dialup AND dedicated... sign something that says that they will agree to the AUP and Terms of Service, and specify that traffic will be filtered for security reasons. </IANAL>
The problem here is that although IANAL either, and YANAL, you WILL need one to craft an AUP and rules that will work, in spite of users.
Yup.
First thing to remember: The traffic we *want* to stop is the payload traffic of the DDOS system, which in general is NOT filterable. Fortunately, at the current time the *control* traffic is identifiable and filterable in most cases.
Second thing to remember: The traffic is being generated by machines that are subverted - and the cracker didn't sign your AUP. You can't code "I will not allow my machine to be subverted" in the AUP, because it's unenforcable.
Someone replied just earlier today, and I don't think the reply has made it to all of the list recipients yet... they said that it is still a good idea to include language to protect yourself from people attempting to use your network to initiate DOS, whether singly or as part of a DDOS attack. I think that that's really a no-brainer. I don't own my own dialups, but I own a server that I use to offer Unix shell services, so this is a big issue for me (and I do offer dialup access, and I need to be sure that my AUP/TOS is strong enough that if someone violates the dialup provider's AUP/TOS they're also violating mine, and I can nuke their account).
Third thing to remember: Users can be incredibly stupid.
I'm fully aware of that fact, having done tech support for the past five years.
those that it's an issue. If we advertise a system/network change, and then cancel at the last minute, we will still get calls about the change breaking things. Warn your help desk, as they WILL get calls about how the (high-visibility) "filtering broke my Netscape". ;)
Right. Well, in general, I operate on the premise that the customer is always right; however, there are only so many warnings I can give them before I actually have to make the change. If people refuse to listen to me, what am I supposed to do? The best thing to do is to archive the mail you send to the customer mailing list announcing the changes, and if someone complains, point them to the archive and say "there, this is when I first told you it was going to happen, please pay attention next time."
Fourth thing to remember: Even if the user signs a form saying that traffic will be filtered for security reasons, they *will* either sue
Let me put forth a suggestion. When crafting my Acceptable Use Policy some time ago, I turned to the people I know on the anti-spam mailing lists and on news.admin.net-abuse.email because I wanted to do as much as I possibly could to make it very painful for spammers to use me to send spam. I want to do the same thing here. Let's come up with a standard AUP that is worded strongly enough that we'll be able to protect ourselves. I think that a discussion of AUPs is only quasi-operational, at best, and therefore, if we decide that it's not really ontopic for NANOG I'll set up a mailing list on my server. Thoughts? Would anyone actually participate in a discussion like this? -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, President, Chief Website Architect and Janitor sjsobol@NorthShoreTechnologies.net - 888.480.4NET - 216.619.2NET