Fwd: Re: Digital Island sponsors DoS attempt

Leo Bicknell bicknell at ufp.org
Fri Oct 26 14:03:35 UTC 2001 

On Fri, Oct 26, 2001 at 01:01:04AM -0700, Paul A Vixie wrote:
> That's vaporware at the moment.  Until it's realized, senders must follow a
> universal standard for determining whether their traffic will be welcomed
> by receivers and intermediate systems whose AUP's aren't published in a
> mechanised form and with whom the sender has no direct relationship, or
> contract, or terms of service.

The burden is on the sender?  We'd better all turn off our hosts.
The sender (and in many cases the receiver as well) have no method
to verify all intermediate systems.  The range of unwritten grey
is also huge.  Consider:

1) If I request a web page without first asking permission, is that
   wrong?

1a) If I then immediately reload it fetching it twice, is that
    wrong?

1b) If I wget the whole site, is that wrong?

1c) wget it once an hour?

1d) Request web pages as fast as my system allows?

2) If I send e-mail to someone at pobox.com containing a picture of
   people in the office, which includes some women, and it happens
   to forward to a server in Afghanistan where women can't be seen
   without their face covered, is it my fault?

3) If someone wget's my web server downloading several hundred megs
   and I decide then to send a single ping back, and do a single
   DNS lookup, is that wrong?

3a) I ping every host in their netblock once, is that wrong?

3b) I leave a standard once-a-second ping running for a day to
    check them out?

3c) I flood ping them from all my hosts as fast as I can?

There is a long legal tradition in civil life that if you don't
want someone to do something, you must give them notice.  Put a
sign that says 'no solicitations' on your door, and if someone
rings your doorbell to sell you something then you have a legitimate
complaint.  If you hang no such sign, or if you put it on your back
door when everyone comes up to your front door then you have no
complaint, and your recourse is to ask them to leave.  For the more
serious events, there is criminal law preventing them from bringing
200 people to your door (an illegal gathering) and the like.

The networking world is similar.  Put up a web server and you can't
complain about someone downloading your web page once.  Put up a
host, and someone pings you a small number of times, you can't
complain either.  Make the front page of your web site say
'unauthorized access prohibited' and then someone gets the front
page and continues to spider the whole site, and you might have a
claim.  If you filter pings, and someone still sends tons of them
your way, and you might have a claim.  If someone SMURF floods you
that's a criminal matter as an attack, regardless.

Also important is the notion of transaction, which seems to have
been lost in this discussion.  If a user requests a web page it is
quite possible that the web server may attempt to use a mechanism
other than HTTP to communicate with the client.  In the simple
example, consider a web server that for each page downloaded pings
the client once and uses that data to improve the client experience.
In my opinion, that ping is part of the transaction of getting the
web page that the user requested, and as such cannot be considered
abusive.  This is particularly true when the volume is high.  I've
seen queries before from sites hosting thousands of users accessing
popular sites who complain that the site then sends back a couple
of hundred pings.

It amazes me that people think the Internet is going to be different
than the real world.  I don't know about the rest of the people on
here, but I get my share of telephone soliciter and junk mail even
with using some of the junkbusters techniques.  It's legal, and
the way the world works.  The same thing happens in cyberspace.
When I receive the e-mail about how someone's IDS caught a user
sending a single traceroute to their site I have to wonder how this
person has so much free time as to investigate such things.  If
you connect to the net you will get pinged from time to time.
Someone may traceroute to you.  Heck, they might try to get a web
page from you.  If you don't like it, block it.  If they only try
once or twice and then go away, don't complain about it.  They came
up, read the 'sign' as it were, and went away.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org

More information about the NANOG mailing list