Re: Fwd: Re: Digital Island sponsors DoS attempt
..., the broader standard of "unwelcome" is more widely applicable than the narrow standard of "illegal."
This is where we arrive at "Acceptable Use", which is why it is required. But these policies need to be propogated and enforced at smaller points of intervention.
That's vaporware at the moment. Until it's realized, senders must follow a universal standard for determining whether their traffic will be welcomed by receivers and intermediate systems whose AUP's aren't published in a mechanised form and with whom the sender has no direct relationship, or contract, or terms of service. And unlike a direct relationship where it's safe to simply enumerate the things which mustn't be done and then assert that, subject to revision of that list, everything else is OK; in the indirect, transitive case where the recipient is distant and their policy isn't known, it's only safe to err on the side of extreme politeness: send what you know to be welcome, and hold onto the rest.
On Fri, Oct 26, 2001 at 01:01:04AM -0700, Paul A Vixie wrote:
That's vaporware at the moment. Until it's realized, senders must follow a universal standard for determining whether their traffic will be welcomed by receivers and intermediate systems whose AUP's aren't published in a mechanised form and with whom the sender has no direct relationship, or contract, or terms of service.
The burden is on the sender? We'd better all turn off our hosts. The sender (and in many cases the receiver as well) have no method to verify all intermediate systems. The range of unwritten grey is also huge. Consider: 1) If I request a web page without first asking permission, is that wrong? 1a) If I then immediately reload it fetching it twice, is that wrong? 1b) If I wget the whole site, is that wrong? 1c) wget it once an hour? 1d) Request web pages as fast as my system allows? 2) If I send e-mail to someone@pobox.com containing a picture of people in the office, which includes some women, and it happens to forward to a server in Afghanistan where women can't be seen without their face covered, is it my fault? 3) If someone wget's my web server downloading several hundred megs and I decide then to send a single ping back, and do a single DNS lookup, is that wrong? 3a) I ping every host in their netblock once, is that wrong? 3b) I leave a standard once-a-second ping running for a day to check them out? 3c) I flood ping them from all my hosts as fast as I can? There is a long legal tradition in civil life that if you don't want someone to do something, you must give them notice. Put a sign that says 'no solicitations' on your door, and if someone rings your doorbell to sell you something then you have a legitimate complaint. If you hang no such sign, or if you put it on your back door when everyone comes up to your front door then you have no complaint, and your recourse is to ask them to leave. For the more serious events, there is criminal law preventing them from bringing 200 people to your door (an illegal gathering) and the like. The networking world is similar. Put up a web server and you can't complain about someone downloading your web page once. Put up a host, and someone pings you a small number of times, you can't complain either. Make the front page of your web site say 'unauthorized access prohibited' and then someone gets the front page and continues to spider the whole site, and you might have a claim. If you filter pings, and someone still sends tons of them your way, and you might have a claim. If someone SMURF floods you that's a criminal matter as an attack, regardless. Also important is the notion of transaction, which seems to have been lost in this discussion. If a user requests a web page it is quite possible that the web server may attempt to use a mechanism other than HTTP to communicate with the client. In the simple example, consider a web server that for each page downloaded pings the client once and uses that data to improve the client experience. In my opinion, that ping is part of the transaction of getting the web page that the user requested, and as such cannot be considered abusive. This is particularly true when the volume is high. I've seen queries before from sites hosting thousands of users accessing popular sites who complain that the site then sends back a couple of hundred pings. It amazes me that people think the Internet is going to be different than the real world. I don't know about the rest of the people on here, but I get my share of telephone soliciter and junk mail even with using some of the junkbusters techniques. It's legal, and the way the world works. The same thing happens in cyberspace. When I receive the e-mail about how someone's IDS caught a user sending a single traceroute to their site I have to wonder how this person has so much free time as to investigate such things. If you connect to the net you will get pinged from time to time. Someone may traceroute to you. Heck, they might try to get a web page from you. If you don't like it, block it. If they only try once or twice and then go away, don't complain about it. They came up, read the 'sign' as it were, and went away. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
1) If I request a web page without first asking permission, is that wrong?
Is this a public page ? Are you trying to download my corporate directory?
1a) If I then immediately reload it fetching it twice, is that wrong?
Were you authorized to get it (if yes, then fetch away).
1b) If I wget the whole site, is that wrong?
Sure is, I've given you no right to pull down my site. Copyright law rules here (depending on what the copyright of the site is).
1c) wget it once an hour?
You'll show up in my traffic logs, expect to be ACL'd.
1d) Request web pages as fast as my system allows?
If you're legitimately surfing, sure, if not, ACL once again.
2) If I send e-mail to someone@pobox.com containing a picture of people in the office, which includes some women, and it happens to forward to a server in Afghanistan where women can't be seen without their face covered, is it my fault?
They are not allowed to use the Internet in any case.
3) If someone wget's my web server downloading several hundred megs and I decide then to send a single ping back, and do a single DNS lookup, is that wrong?
Sure is, they have not authorized you to send such traffic. I've been downloading data from your web page, there is no reason for you to send ICMP traffic my way (one ICMP packet is one end of the extreme).
3a) I ping every host in their netblock once, is that wrong?
You bet ! I've given you no right to do so!
3b) I leave a standard once-a-second ping running for a day to check them out?
I will ACL you and possibly complain to your upstream for abuse.
3c) I flood ping them from all my hosts as fast as I can?
See 3b above.
There is a long legal tradition in civil life that if you don't want someone to do something, you must give them notice. Put a
I don't need to tell anyone that they may not enter my hope and park their arse on my sofa. The also cannot start walking through my house and opening doors to see which rooms are occupied. I'd love to see someone take portscannig and probing and use tresspass or break and enter laws to prosecute. Probing and scanning has a place, the discression as to what is allowed must be from the receiving end. You have no right to decide what traffic my network is to receive.
The networking world is similar. Put up a web server and you can't complain about someone downloading your web page once. Put up a host, and someone pings you a small number of times, you can't complain either. Make the front page of your web site say
Why not ! I have not authorized you to probe my network ! Does your proposal scale ? What if I want to ping every host on the @Home network 100 times in a day (ooops thats 350 million ICMP packets that enter your network, is it a problem NOW?).
'unauthorized access prohibited' and then someone gets the front page and continues to spider the whole site, and you might have a claim. If you filter pings, and someone still sends tons of them your way, and you might have a claim. If someone SMURF floods you that's a criminal matter as an attack, regardless.
Where is the line drawn between a SMURF and a legitimate probe ? Who gets to draw the line ,the sender, I think not!
Also important is the notion of transaction, which seems to have been lost in this discussion. If a user requests a web page it is quite possible that the web server may attempt to use a mechanism other than HTTP to communicate with the client. In the simple example, consider a web server that for each page downloaded pings the client once and uses that data to improve the client experience. In my opinion, that ping is part of the transaction of getting the web page that the user requested, and as such cannot be considered abusive. This is particularly true when the volume is high. I've seen queries before from sites hosting thousands of users accessing popular sites who complain that the site then sends back a couple of hundred pings.
I know of no standard that incorporates ICMP probes with HTTP transfers. If I ask for HTTP data, thats all that I expect, nothing less, nothing more. I am not opposed to such a standard, but am opposed to people trying such schemes without my knowledge or permission.
person has so much free time as to investigate such things. If you connect to the net you will get pinged from time to time. Someone may traceroute to you. Heck, they might try to get a web page from you. If you don't like it, block it. If they only try once or twice and then go away, don't complain about it. They came up, read the 'sign' as it were, and went away.
I've got much better things to do than enter millions of hosts into an ACL. If one had to block all this traffic, routers would need hundreds of CPUs and Terabytes of memory (going through an ACL that is thousands of lines long takes a lot of power).
On Fri, 26 Oct 2001 12:44:57 EDT, Wojtek Zlobicki <wojtekz@idirect.com> said:
3) If someone wget's my web server downloading several hundred megs and I decide then to send a single ping back, and do a single DNS lookup, is that wrong? Sure is, they have not authorized you to send such traffic. I've been downloading data from your web page, there is no reason for you to send ICMP traffic my way (one ICMP packet is one end of the extreme).
ICMP host/net/port unreachable, anybody? How about TCP ECN packets?
On Fri, 26 Oct 2001, Wojtek Zlobicki wrote:
Sure is, they have not authorized you to send such traffic. I've been downloading data from your web page, there is no reason for you to send ICMP traffic my way (one ICMP packet is one end of the extreme).
3a) I ping every host in their netblock once, is that wrong?
You bet ! I've given you no right to do so!
Think of it as freedom of speech. I can say whatever I like, and you have the option of listening. ICMP is a standard protocol I can use to solicit packet responses from hosts on the Internet. Until that changes, people will be sending you ICMP packets, and lots of them.
I will ACL you and possibly complain to your upstream for abuse.
Have mercy.
I don't need to tell anyone that they may not enter my hope and park their arse on my sofa. The also cannot start walking through my house and opening doors to see which rooms are occupied. I'd love to see someone take portscannig and probing and use tresspass or break and enter laws to prosecute.
An analogy - how clever. But wait, your home is private property, and your network is a public-access system. I can park my car in front of your house, and my dog can crap by your mailbox.
Why not ! I have not authorized you to probe my network ! Does your proposal scale ? What if I want to ping every host on the @Home network 100 times in a day (ooops thats 350 million ICMP packets that enter your network, is it a problem NOW?).
Nothing to my knowledge is preventing you from sending ICMP echo requests to every host on the @Home network 100 times a day. There would be little they could do about it, other than politely ask you to stop, or filter you.
Where is the line drawn between a SMURF and a legitimate probe ? Who gets to draw the line ,the sender, I think not!
A smurf is an intentional denial of service, an ICMP echo request is not.
I know of no standard that incorporates ICMP probes with HTTP transfers. If I ask for HTTP data, thats all that I expect, nothing less, nothing more. I am not opposed to such a standard, but am opposed to people trying such schemes without my knowledge or permission.
Yes they can. Its a Free Internet (tm).
I've got much better things to do than enter millions of hosts into an ACL. If one had to block all this traffic, routers would need hundreds of CPUs and Terabytes of memory (going through an ACL that is thousands of lines long takes a lot of power).
You might consider upgrading your IOS, it looks like you are going to need it.
At 12:44 -0400 2001-10-26, Wojtek Zlobicki wrote:
1b) If I wget the whole site, is that wrong?
Sure is, I've given you no right to pull down my site. Copyright law rules here (depending on what the copyright of the site is).
Yes, copyright law applies. But how is using wget to get the whole site different to me navigating the whole site... rights based on user agents? Hmm.
1c) wget it once an hour?
You'll show up in my traffic logs, expect to be ACL'd.
wget on the whole site, yes, probably not nice. wget on a single page?
1d) Request web pages as fast as my system allows?
If you're legitimately surfing, sure, if not, ACL once again.
How do you detect "legitimately surfind"?
Also important is the notion of transaction, which seems to have been lost in this discussion. If a user requests a web page it is quite possible that the web server may attempt to use a mechanism other than HTTP to communicate with the client. In the simple example, consider a web server that for each page downloaded pings the client once and uses that data to improve the client experience. In my opinion, that ping is part of the transaction of getting the web page that the user requested, and as such cannot be considered abusive. This is particularly true when the volume is high. I've seen queries before from sites hosting thousands of users accessing popular sites who complain that the site then sends back a couple of hundred pings.
I know of no standard that incorporates ICMP probes with HTTP transfers. If I ask for HTTP data, thats all that I expect, nothing less, nothing more. I am not opposed to such a standard, but am opposed to people trying such schemes without my knowledge or permission.
Funny, I seem to recall that the default for CERN and NCSA httpd's (yes, I know, years old) was to send an ident request back to the requesting host. If memory serves it's also trivially simple (and painfully dumb in most cases these days) to configure Apache to do so. Am I right to assume that doing a reverse lookup on the requesting host is also bad? I'm not aware of any standard that states that's acceptable either... --
Am I right to assume that doing a reverse lookup on the requesting host is also bad? I'm not aware of any standard that states that's acceptable either...
This will hit my DNS server and not the end host. I would not consider a reverse lookup very intrusive.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I've got much better things to do than enter millions of hosts into an ACL. If one had to block all this traffic, routers would need hundreds of CPUs and Terabytes of memory (going through an ACL that is thousands of lines long takes a lot of power).
Then you admit that your solution scales no better than the alternative. I guess we should just pull the plug then, this Internet idea is obviously too advanced for mere mortals.
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO9mex0ksS4VV8BvHEQLJzgCgow9qpBaBakgALo7AFTYOW952SYYAoIZ2 Q0mSnUCSD24KYV3bn/eS0AZ+ =/hGU -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
And unlike a direct relationship where it's safe to simply enumerate the things which mustn't be done and then assert that, subject to revision of that list, everything else is OK; in the indirect, transitive case where the recipient is distant and their policy isn't known, it's only safe to err on the side of extreme politeness: send what you know to be welcome, and hold onto the rest.
What if everyone followed your principle? Digital Island and Akamai, Caida, the Internet Weather report, and lots of other stuff (including spam) simply could not exist. It is not practical to ask everyone permission before proceeding. The only practical position to take is to proceed until someone complains, and stop probing them when they do. Your position places an unfair burden on the sender. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO9mYO0ksS4VV8BvHEQKMzwCfdULBmzam4+KDKmMH0P6UQGCjtQYAoOWo crRaY9QeuR2Psy+2e/wBmDsx =fkUk -----END PGP SIGNATURE-----
participants (7)
-
Ian Cooper
-
James Thomason
-
Leo Bicknell
-
Mike Batchelor
-
Paul A Vixie
-
Valdis.Kletnieks@vt.edu
-
Wojtek Zlobicki