nanog mailing list archives

Re: SIP - perhaps botnet? anyone else seeing this?

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Sat, 11 Apr 2009 12:14:47 -0400

On Fri, 10 Apr 2009 10:20:35 +0000 (GMT)
"Leland E. Vandervort" <leland () taranta discpro org> wrote:




On Fri, 10 Apr 2009, Roland Dobbins wrote:


IANAL, but I suggest you check again with your legal department - I
doubt this is actually the case (your jurisdiction may vary, but in
most Western nations, you can grab packets for diagnostic/
troubleshooting/forensics purposes).


Already did check... we can't grab packets except in response to
judicial order or specific abuse case with a valid ID of the
end-user, or of course for general technical diagnostics -- if for
diagnostics, we cannot use such collected data in the context of only
a suspicion of abuse at all as it would constitute an infringement on
the individual's privacy.  So in short, we can do it REACTIVELY in
response to a complaint.. but if we do it PROACTIVELY, then it cannot
be used and is of "educational" value only (with caveats surrounding
confidentiality, non-disclosure, and destruction,, etc.)

You can if it the volume is interfering with your own service, I
believe (though IANAL, either) -- see this text from
http://www4.law.cornell.edu/uscode/18/2511.html

        It shall not be unlawful under this chapter for an operator of
        a switchboard, or an officer, employee, or agent of a provider
        of wire or electronic communication service, whose facilities
        are used in the transmission of a wire or electronic
        communication, to intercept, disclose, or use that
        communication in the normal course of his employment while
        engaged in any activity which is a necessary incident to the
        rendition of his service or to the protection of the rights or
        property of the provider of that service, except that a
        provider of wire communication service to the public shall not
        utilize service observing or random monitoring except for
        mechanical or service quality control checks. 

Note carefully that the second part applies to a "provider of wire
communication service", which is a phone company, not an ISP -- ISPs
are providers of "electronic communication service".  (Just to make
life fun -- if you're a VoIP *provider*, you probably fall under both
sections, but if you're just carrying VoIP traffic I don't think you
are).


                --Steve Bellovin, http://www.cs.columbia.edu/~smb

Current thread:

SIP - perhaps botnet? anyone else seeing this? Leland E. Vandervort (Apr 10)
- Re: SIP - perhaps botnet? anyone else seeing this? Roland Dobbins (Apr 10)
  - Re: SIP - perhaps botnet? anyone else seeing this? Leland E. Vandervort (Apr 10)
    - Re: SIP - perhaps botnet? anyone else seeing this? Roland Dobbins (Apr 10)
    - Re: SIP - perhaps botnet? anyone else seeing this? Leland E. Vandervort (Apr 10)
    - Re: SIP - perhaps botnet? anyone else seeing this? Randy Bush (Apr 10)
    - Re: SIP - perhaps botnet? anyone else seeing this? Steven M. Bellovin (Apr 11)
- Re: SIP - perhaps botnet? anyone else seeing this? Dane (Apr 15)
  - Re: SIP - perhaps botnet? anyone else seeing this? Leland E. Vandervort (Apr 15)
    - RE: SIP - perhaps botnet? anyone else seeing this? Mike Goldman (Apr 15)
    - Re: SIP - perhaps botnet? anyone else seeing this? Gadi Evron (Apr 15)
  - Re: SIP - perhaps botnet? anyone else seeing this? Andy Davidson (Apr 15)