[Planetlab-devel] Fwd: [PL #26743] PlanetLab Traffic Report Feedback
- loriaple_jfrancois_webperf
Timur Friedman
timur.friedman at upmc.fr
Thu May 22 13:18:05 EDT 2008
Agreed: the responsible slice authority is the first responder, and
the responsible node authority, if different, is kept in the loop.
Complaints that arise through PlanetFlow2 will be automatically
directed to the correct support lists. For those that come in via
manually-generated e-mail, the receiving authority will notice if
another authority should be alerted.
In that case, even if we are observing each other's support traffic, I
suggest an explicit message. The authority that receives the complaint
forwards it to the other authority's support list, saying either
"We'll take the lead on this," or "Please take the lead on this."
How does that sound?
By the way, we at PLE are certainly learning a lot by reading the PLC
support traffic. We also welcome PLC staff's subscribing to our
support community mailing list:
http://lists.planet-lab.eu/mailman/listinfo/support-community
In particular, we'd appreciate any comments on how we're handling
tickets, and any suggestions on ways we might do better.
Timur
On Thu May 22 10:38:53 EDT 2008, Larry Peterson <llp at CS.Princeton.EDU> wrote:
>
> A notice should go to both support groups when the node belongs
> to one and the slice belongs to the other. If both node and slice are
> PLE- or PLC-only, then just the one support group needs to be
> notified. (I'm assuming both support teams eavesdrop on the other's
> list.)
>
> There's also the issue of who responds. I propose that the responsible
> slice authority is the first responder. Clearly, the authority responsible
> for the node's correct behavior needs to make sure their hosting site
> is satisfied, but the lead belongs on the slice side.
>
> Larry
>
> On Thu, May 22, 2008 at 10:34 AM, Sapan Bhatia <sapanb at cs.princeton.edu> wrote:
> > Hi,
> >
> > Since we don't have fully-qualified slice names yet, we could use the
> > following as a short-term solution. We modify the script that
> > registers complaints (this script will run at PlanetFlow central) to
> > look the slice up in both PLCs and report the incident to the support
> > branch of the PLC to which it is found to belong.
> >
> > We can make this feature a part of the upcoming public release of PlanetFlow2.
> >
> > Sapan
> >
> >
> >
> > On 5/22/08, Larry Peterson <llp at cs.princeton.edu> wrote:
> >> Any thoughts on how we handle this situation? --Larry
> >>
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From: Timur Friedman <timur.friedman at upmc.fr>
> >> Date: Thu, May 22, 2008 at 8:26 AM
> >> Subject: Re: [PL #26743] PlanetLab Traffic Report Feedback -
> >> loriaple_jfrancois_webperf
> >>
> >> To: Larry Peterson <llp at cs.princeton.edu>
> >>
> >>
> >> Larry,
> >>
> >> Here we have a case of a PLE site's slice that generated unwanted
> >> traffic. But it looks like the Williams College complaint, via the
> >> PlanetFlow interface, got directed to PLC support.
> >>
> >> We need to set things up so that complaints regarding PLE sites'
> >> slices get directed to PLE support. I know that the entire PlanetFlow
> >> mechanism is being reworked for 4.2, so I imagine that this will be a
> >> feature of the new system.
> >>
> >> Timur
> >>
> >>
> >> On Tue, May 20, 2008 at 6:04 PM, Larry Peterson via RT
> >>
> >> <support at planet-lab.org> wrote:
> >> >
> >> > Email Recipients (see http://www.planet-lab.org/Support)
> >> > Owner: sapanb
> >> > Requestor: support at planet-lab.org
> >> > Ticket Ccs: jeannie at cs.williams.edu, loriaple_jfrancois_webperf at slices.planet-lab.org
> >> >
> >> > ==================================================
> >> >
> >> > My interpretation is a probe to see if the vulnerability exists that
> >> > allows the malware to be loaded onto the machine. For those that
> >> > are aware of such vulnerabilities, I would assume they are watching
> >> > for such probes -- the exact same ones an attacker would execute.
> >> > Please correct me if I'm wrong.
> >> >
> >> > With respect to lessing load on the home machines, this is not a
> >> > particularly good use of PlanetLab, especially when accompanied
> >> > by risks. The value of PlanetLab is not the availability of cycles so
> >> > as to offload local machines, but rather, having access to machines
> >> > with many points-of-presence.
> >> >
> >> > Larry
> >> >
> >> > On Tue, May 20, 2008 at 12:00 PM, Sapan Bhatia via RT
> >> > <support at planet-lab.org> wrote:
> >> > > Email Recipients (see http://www.planet-lab.org/Support)
> >> > > Owner: Nobody
> >> > > Requestor: support at planet-lab.org
> >> > > Ticket Ccs: jeannie at cs.williams.edu, loriaple_jfrancois_webperf at slices.planet-lab.org
> >> > >
> >> > > ==================================================
> >> > >
> >> > > Hi Jeannie,
> >> > >
> >> > > >From what I can gather from Jerome's explanation, it looks like he's only scanning hosts to
> >> > > detect the presence of malware on them. He is not actually exploiting the malware to execute
> >> > > scripts. Jerome: could you confirm this? Also, please blacklist the IP address range for which
> >> > > the complaints have been registered additional to removing your slice from the Williams
> >> > > nodes.
> >> > >
> >> > > Sapan
> >> > > PL Support
> >> > >
> >> > >
> >> > >> [jeannie at cs.williams.edu - Tue May 20 11:26:59 2008]:
> >> > >>
> >> > >> Hi Jerome,
> >> > >> I'm afraid that the system administrators on our campus still have
> >> > >> concerns over the nature of your experiment. They feel that:
> >> > >>
> >> > >> "This particular test goes a little too far. If you do not have
> >> > >> permission to "enter" private networks, how can you justify running
> >> > >> scripts against it?"
> >> > >>
> >> > >> To avoid causing further problems and receiving more complaints from
> >> > >> our OIT department, I ask that you please stop using the machines on
> >> > >> our campus for these experiments. I apologize if this causes you any
> >> > >> inconvenience.
> >> > >>
> >> > >> Thanks,
> >> > >> Jeannie
> >> > >>
> >> > >> On Tue, May 20, 2008 at 10:06 AM, Jérôme françois via RT
> >> > >> <support at planet-lab.org> wrote:
> >> > >> > Email Recipients (see http://www.planet-lab.org/Support)
> >> > >> > Owner: Nobody
> >> > >> > Requestor: support at planet-lab.org
> >> > >> > Ticket Ccs: jeannie at cs.williams.edu,
> >> > >> loriaple_jfrancois_webperf at slices.planet-lab.org
> >> > >> >
> >> > >> > ==================================================
> >> > >> >
> >> > >> > Hello,
> >> > >> >
> >> > >> > The goal of the experiment is to test the "web performance" of
> >> > >> > malware. Basically the aims is to evaluate the efficiency of a worm
> >> > >> to
> >> > >> > have infected web servers. Thus, the experiment runs scripts which
> >> > >> > connects to webserver to attempt to test if the malware can be
> >> > >> > downloaded on this server.
> >> > >> >
> >> > >> > Therefore, it appears as a scanner because the script tests selected
> >> > >> ip domains to detect an infected web server.
> >> > >> >
> >> > >> > Regards,
> >> > >> >
> >> > >> > Jerome François
> >> > >> > INRIA Nancy Grand Est
> >> > >> > France
> >> > >> >
> >> > >> >
> >> > >> >
> >> > >> > support at planet-lab.org via RT a écrit :
> >> > >> >> Email Recipients (see http://www.planet-lab.org/Support)
> >> > >> >> Requestor: support at planet-lab.org
> >> > >> >> Ticket Ccs: jeannie at cs.williams.edu,
> >> > >> loriaple_jfrancois_webperf at slices.planet-lab.org
> >> > >> >>
> >> > >> >> ==================================================
> >> > >> >>
> >> > >> >> Tue May 20 09:16:12 2008: Request 26743 was acted upon.
> >> > >> >> Transaction: Ticket created by support at planet-lab.org
> >> > >> >>
> >> > >> >> Subject: PlanetLab Traffic Report Feedback -
> >> > >> loriaple_jfrancois_webperf
> >> > >> >>
> >> > >> >>
> >> > >> >> PlanetLab Traffic Report Feedback - loriaple_jfrancois_webperf
> >> > >> >>
> >> > >> >> PlanetLab has received feedback from jeannie at cs.williams.edu
> >> > >> regarding
> >> > >> >> the following traffic transmitted by your slice:
> >> > >> >>
> >> > >> >> Start Time: May 19 22:23:48
> >> > >> >> End Time: May 19 22:23:51
> >> > >> >> Slice: loriaple_jfrancois_webperf
> >> > >> >> Protocol: TCP
> >> > >> >> Source IP: planetlab2.williams.edu
> >> > >> >> Source Port: 50001
> >> > >> >> Destination IP: 63.117.51.88
> >> > >> >> Destination Port: http (80)
> >> > >> >> KPackets: 0.00
> >> > >> >> KBytes: 0.11
> >> > >> >>
> >> > >> >> Comments:
> >> > >> >> Hello,
> >> > >> >> We received the following complaint regarding traffic coming from a
> >> > >> PlanetLab machine on our campus. We believe this complaint is due
> >> > >> to a port-scanning application that you were running in your slice
> >> > >> (loriaple_jfrancois_webperf). Please let us know what the nature
> >> > >> of your experiment is so that we can respond to USi.
> >> > >> >>
> >> > >> >>
> >> > >> >>> Hello from USinternetworking (USi). I am a Security Engineer here
> >> > >> trying to
> >> > >> >>> track down a security incident that appears to have originated
> >> > >> from your
> >> > >> >>> network on May 19, 2008. Please investigate a TCP sweep of port
> >> > >> 80 from the
> >> > >> >>> IP 137.165.1.112 (planetlab2.williams.edu) and inform me of the
> >> > >> results
> >> > >> >>> (account cancelled, user warned, etc). I will require this
> >> > >> information in
> >> > >> >>> order to close the ticket on this activity. I have attached a
> >> > >> portion of the
> >> > >> >>> log details as evidence. All times are EDT (GMT -4).
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> 18:23:58 137.165.1.112 0.0.0.0 [TCP-SWEEP]
> >> > >> (total=18,dp=80,min=63.117.51.70,max=63.117.51.88,May19-
> >> > >> 18:09:34,May19-18:23:48) (USI-rdtest)
> >> > >> >>>
> >> > >> >>
> >> > >> >>
> >> > >> >> Thanks.
> >> > >> >>
> >> > >> >> Please contact jeannie at cs.williams.edu and PlanetLab Support
> >> > >> immediately.
> >> > >> >> Explain the nature of your experiment, as well as the purpose of
> >> > >> the traffic.
> >> > >> >>
> >> > >> >> PlanetLab Support <support at planet-lab.org>
> >> > >> >>
> >> > >> >
> >> > >> >
> >> > >>
> >> > >>
> >> > >>
> >> > >
> >> > > _______________________________________________
> >> > > PlanetLab Support Mail Reflector
> >> > > support at planet-lab.org
> >> > > https://lists.planet-lab.org/mailman/listinfo/support-community
> >> > >
> >> > >
> >> >
> >> > _______________________________________________
> >> > PlanetLab Support Mail Reflector
> >> > support at planet-lab.org
> >> > https://lists.planet-lab.org/mailman/listinfo/support-community
> >>
> >>
> >> _______________________________________________
> >> Devel mailing list
> >> Devel at lists.planet-lab.org
> >> https://lists.planet-lab.org/mailman/listinfo/devel
> >>
> >
> > _______________________________________________
> > Devel mailing list
> > Devel at lists.planet-lab.org
> > https://lists.planet-lab.org/mailman/listinfo/devel
> >
> >
More information about the Devel
mailing list