brent timothy saner via plug on 12 Jul 2020 11:32:43 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Internet Janitors (WAS: VPS Hosting)

On 7/12/20 10:27, Rich Kulawiec via plug wrote:
> On Fri, Jul 10, 2020 at 11:15:58AM -0400, christine via plug wrote:
>> I work at Linode and host all my stuff there would def. recommend ;)
> Linode certainly has a better track record than Digital Ocean, OVH,
> Vultr/Choopa, and other operations that are absolute cesspools.  However,
> there are still chronic issues with outbound abuse/attacks from Linode
> that have not been adequately addressed.  If Linode is serious about
> being a competent/professional operation then that needs to happen.
> (Arguably, it should have already happened: it is the first
> responsibility of every system/network administrator to ensure
> that whatever they're running is not an operational hazard to
> everyone/everything on the Internet.  This responsbility supersedes
> all others at all times.  Anyone who isn't prepared for that, anyone
> who isn't dedicated to that, anyone who can't or won't make that happen
> not only isn't a professional - they're not even a competent amateur.
> They're simply not good enough to run *anything* plugged into the Internet.)
> ---rsk

As someone who's worked in hosting in various forms in the past, I can
tell you platitudes and demands like this are nice, but they don't work
in a practical form because Real-Life(TM) is a little more grey than

Should providers be doing due diligence? Sure! However, there are
problems with making a hard-and-fast rule. Consider the following.

1.) You're a VPS provider. You seee a massive outbound surge of email
traffic (DST 25/TCP, 465/TCP, etc.). Is this instance a spam service? Or
is it hosting a massively popular newsletter? How do you investigate
this without violating the privacy (or anonymity) of the customer?

2.) You notice torrent traffic. Are they seeding copyrighted material?
Or are they helping mirror a distro's ISOs?

3.) You notice a huge number of HTTP connections. Are they the victim of
a slowloris[0]? Or have they been slashdotted and their webserver
configuration/website code hasn't been optimized well?

4.) You notice a huge number of outbound connections in general. Are
they initiating an attack? Or are they the victim of a TCP SYN-ACK
reflection attack?

Short of installing a rootkit, there's no guarantee you're going to be
able to reliably check what they're actually doing if it's using a
TLS-transported messaging system. The argument can be made that you
oughtn't be able to know; with State/corporation-sponsored espionage on
the rise, privacy and anonymity are in high demand and are very, very
low in supply.

Additionally, the amount of analytics and DPI you need to do for every
email server/torrent seeding instance/whatever running on guests on your
fleet is ASTOUNDING. You're talking about an unrealistic cost benefit

Instead, it'd be more beneficial to encourage *customers* who don't know
what they're doing to hire outside help or leave their playground for a
homelab/VM first. The vast majority of the abuses seen on the Internet
are due to misconfigured services that attackers compromise and take
advantage of, not first-level abuse. So if you stick to your philosophy
and make it a hard rule, you've now killed off a significant amount of
your customer base when the *proper* response is "you should hire a
sysadmin who has experience with this service".

Linode has outbound abuse because *they attract people who have no
server administration experience*, not because they aren't doing due
diligence. They're popular, they have a significant amount of hosting,
so it happens more there. If you file abuse reports with Linode, they
actually are handled.

What you're suggesting, in other words, is the digital equivalent of
"thoughtcrime" - applying ill intent/malignance onto a situation with no
inside knowledge before any actual violation was committed.

"Innocent until proven guilty" applies to more than just law. Is it
inefficient? Sure, but it's the most fair thing we have. In the
meanwhile, it may be more beneficial to teach people how to read and
understand RFCs and teach them best practices if they're interested in
putting something on the Internet rather than trying to fix it with
measures akin to China's Golden Shield. But, of course, that actually
takes time and effort.


Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --