[e2e] probing and laws (where can i find an ip or host address
list?)
Jon Crowcroft
Jon.Crowcroft at cl.cam.ac.uk
Sat Oct 16 04:12:23 PDT 2004
so we have been working with various folks to try to see if its possible to define a
"code of practice" for large scale network measurements that involve active traffic
personally, i dont give two hoots about the discussions in this forum about legality - believe me we talke to
_lawyers_ (so did anyone who has in the last 5 or more years run large scale measurement experiments, and got
cease and desist letters sent to their organisations boss by some legal nono in the "target" organisation typically
semi-automatically triggered by poorly configured IDS, and often not even realising that there is an international
dimension to the jurisdictional point (pretty amusing someone telling me in cambridge, running a ping from a
planetlab in brasil, that I am "breaking laws in idaho" for example - so thats really going to affect me if I am a
bad guy now isnt it?)
but, if you run large scale experiments, you hit a much higher level of perfectly legitimate (correctly configured)
IDS alarm levels to do with the traffic +pattern+ you create being anomalous, and often starting to ressemble some
of the zombine exploit and other relatively low rate, but large address space scan behaviours that we are starting
to udnerstand and program into our defenses.
so it behoves us, as good network citezens to think up a way that we can continue to do live research on live
networks - one STRONG argument in favour of this is that at the very least, we need to do it, just to TEST new
distributed IDS algorithms!
meanwhile the ideas we have are a sort of CERT model - a registry of _good guys_, where one lists the systems one is
probing from, the algorithms used to do the probe and choose destinations, and a set of contacts for getting more
details (including legal ones, as well as very rapid response for example to remove addresses of extra-sensitive
sites from any possible target - this latter is vital as there is no one-size-fits-all rule, (see above just for
jurisdiciton, but also policy, social behaviour, and so forth - sometimes just old IDSs that cannot be re-programmed
etc etc)
another track in this direction is to talk about ways to exchange data between the IDSs, so we can get a better
global/distributed view of what is going on "out there" as this will also help figure out improving our defenses,
but passively, rather than actively, therefore less annoying to over-senstive folks! (of course, the inter-IDS
exchange traffic itself could itself be construed a problem by some people - sigh)...
one _very important_ thing we were told by a LOT of ops people was
have a whois entry that points at people AND a website with LOTS of contact info and descriptions of what your
organisation does and why and who to reach for each type of thing....and have those people _all_ aware ahead of time
that you are doing it....
even so, you will get a tour of interesting world wide socio-litiguous behavioural norms and exceptions beyond your
wildest dreams so enjoy
cheers
j.
its fun to exchange horror stories about the sorts of daft communications one does get from paranoid sys-admins and
operators - my favourite recently was someone who told us to go away as we were breaking the misuse of computer law
(a uk law) - he was in another country (not clear it applies, but not relevant), but most amusing he sent us all his
log files to "prove" what we were doing including ps auxww listings from all his unix servers - had i been a bad
guy, that might have been rather useful:-) - had i been his boss, it might have been a career limiting move...
More information about the end2end-interest
mailing list