[91826] in North American Network Operators' Group
Re: [Full-disclosure] what can be done with botnet C&C's?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Aug 14 12:28:41 2006
To: "J. Oquendo" <sil@infiltrated.net>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Sun, 13 Aug 2006 10:44:03 CDT."
<20060813154403.GA71505@infiltrated.net>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 14 Aug 2006 12:27:57 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1155572877_3074P
Content-Type: text/plain; charset=us-ascii
On Sun, 13 Aug 2006 10:44:03 CDT, "J. Oquendo" said:
> > Watch the flows, block the users from communicating out to them. Watch
> > these users and see where else they are communicating in comparison to
> > other users, en-masse.
>
> Breaking laws here if you ask me. Watching flows. Isn't this an illegal
> wiretap.
IANAL, so ask somebody who is if the answer matters... but by my reading
of 18 USC 2511 (2)(a)(1) says you're off the hook on that one, for the cases
that a NANOG reader would care about:
"it shall not be unlawful under this chapter for an operator of a
switchboard, or an officer, employee, or agent of a provider of wire
or electronic communication service, whose facilities are used in the
transmission of a wire or electronic communication, to intercept,
disclose, or use that communication in the normal course of his
employment while engaged in any activity which is a necessary incident
to the rendition of his service or to the protection of the rights or
property of the provider of that service, except that a provider of wire
communication service to the public shall not utilize service observing or
random monitoring except for mechanical or service quality control checks."
I read the last few lines as saying "It's not OK to go targeting Joe Sixpack's
flows, but it *is* OK to run an IDS or similar system that triggers whenever
an DDoS or other similar "detrimental to your service quality" event happens.
You're allowed to protect your network, and you're allowed to do monitoring
for "service quality control".
I however *also* read that as meaning that once you've identified a specific
customer, you need to be careful to *only* target data that's identifiable
as being an service quality issue - if it's doing DDoS stuff on port 7703,
that doesn't extent to their SMTP traffic. (Of course, if they're also spewing
spam at line speed at the same time, that's another story...)
--==_Exmh_1155572877_3074P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFE4KSMcC3lWbTT17ARAleZAJ46oDTy7WaO//sOdMCyuwOmsnUVqwCfRxGw
aK+SZOLwLmhKsTkqsA4fMAY=
=ApxA
-----END PGP SIGNATURE-----
--==_Exmh_1155572877_3074P--
