Re: a sort of n00b question here but I'ld like to know.

[Alistair Tonner <Alistair@nerdnet.ca>]

On October 21, 2003 02:11 pm, SBlaze wrote:
> > 	I agree the response is indeed sad, but I believe that's typical for
> > that sort of forum.  Watching the traffic coming in to your router and
> > charting it
> >
> > is NOT any sort of violation of any *rational* AUP.  Going farther than
> > that might well be.  The average user of cable internet access has little
> > idea of what goes on beyond the screen.  I've noted that DSL reports has
> > a few decent

 <SNIPPAGE>

> >
>
> This is the section that I am wondering about in Charter's AUP.
>
> 7. NO “HACKING"
>
> Customer will not use, nor allow others to use, the Service to access the
> accounts of others or to attempt to penetrate security measures of the
> Service or other computer systems (“hacking”) or to cause a disruption of
> the Service to other on-line users. Customer will not use, nor allow others
> to use, tools designed for compromising network security, such as
> password-guessing programs, cracking tools, packet sniffers or network
> probing tools.
>
> Wouldn't ntop be considered a "probing" tool?

	Welll ... it does incorporate a packet sniffer.  At that level, 
	I can see how you feel that you might be violating AUP 
	firing it up pointed at your outside connection.  However, 
	despite not being a lawyer, I can point out that the intent of the
	section is defined clearly:
		
		No Hacking.  
	
	Soooo .... no coding on that there system now, no debugging allowed, 
	no analysis of bleeding edge source code AT ALL darnit!!!

	(sorry old bone of mine) 

		Intent here is fairly legally clear.  Don't go looking for a way to violate 
the integrity of the network or the security of any systems attached to the 
network.  Analize your bandwidth, but don't retain info that could detail a 
method of accessing any other system on the network.  I know that it seems a 
fine line, but I believe that if you are doing this in the spirit of 
analizing the network traffic to see if YOUR system is a problem, you are 
unlilkely to have major issues.   The individual supposedly from your ISP 
that replied (in that other forum) is clearly far from a network security 
analyst.  I doubt they understand the functionality of a tool like ntop.
	
  I know from past experience in my own co (cough) that we do indeed lock down 
IP's that are operating in promiscuous mode, and also IP's that are clearly 
and documentably infected with DDOS tools.  However, we do NOT automatically 
terminate the account based on this behaviour.  Frequently the issue is that 
the system has been compromised remotely, and the sub is actually as much a 
victim as a culprit.  Unfortunately this is a two edged sword, in which some 
(cough) people get away with murder.


>
> And getting back to my original reason and question for this post. How
> statistically can you see just how much iptables/netfilter is using of
> system resources?

	Got me on that ... I know that with only minimal processing on the firewall 
and three winders boxen downstream hammering the net connection, my linux box 
is using  0.7% system  consistently (AMD Athlon 1500 756mbRam and kernel 
2.4.22 iptables 1.2.7a, pom from January) 

	With my desktop up and running (kde 3.1.2 ) with xmms and konqueror and 
	other such things running, and my other half playing Sims online and me
	pulling Xfree86 current CVS right now I'm seeing Umm 2.6% system load.
	(most likely the sound drivers) -- plus something seems to be searching my 	
	website........hmm -- not google.

	(yes ... thats a bad habit... but my desktop is the net connection for the 
household... I'm working on that)

	On a dual pp 48Mb ram in a colo handling ~~1Gb/day data the system hasn't 
broken 0.8% in over two months. (2.4.19, iptables 1.2.7a, no pom, no extras, 
boots and runs from cd, logs remotely)

	*shrug* ... last time someone decided to ddos my network neighbour in the 
colo, I saw some serious load *grin* ..the system usage actually hit 5%, but 
I suspect that was the logger more than anything else .. .since I was 
dropping and logging packets like crazy at the time.



	I'm still inclined to say that if you are concerned about the difference 
between TCP pings to game servers and the so called ping time in game 
that the issue lies with the game server.  I doubt from what you've posted so 
far that the local outside network or iptables is causing your problems.

>
> Thanks Everyone
> SBlaze
>
>
> =====
> In the absence of order there will be chaos.
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!