On Sun, 13 Aug 2006 10:44:03 CDT, "J. Oquendo" said:
Watch the flows, block the users from communicating out to them. Watch these users and see where else they are communicating in comparison to other users, en-masse.
Breaking laws here if you ask me. Watching flows. Isn't this an illegal wiretap.
IANAL, so ask somebody who is if the answer matters... but by my reading of 18 USC 2511 (2)(a)(1) says you're off the hook on that one, for the cases that a NANOG reader would care about: "it shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks." I read the last few lines as saying "It's not OK to go targeting Joe Sixpack's flows, but it *is* OK to run an IDS or similar system that triggers whenever an DDoS or other similar "detrimental to your service quality" event happens. You're allowed to protect your network, and you're allowed to do monitoring for "service quality control". I however *also* read that as meaning that once you've identified a specific customer, you need to be careful to *only* target data that's identifiable as being an service quality issue - if it's doing DDoS stuff on port 7703, that doesn't extent to their SMTP traffic. (Of course, if they're also spewing spam at line speed at the same time, that's another story...)