nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cloudflare, dirty networks and politricks

From: Owen DeLong <owen () delong com>
Date: Sat, 30 Jul 2016 15:47:37 -0700


On Jul 30, 2016, at 12:34 PM, bzs () theworld com wrote:


On July 30, 2016 at 10:51 owen () delong com <mailto:owen () delong com> (Owen DeLong) wrote:

If they are using a website hosted or accelerated by your CDN to advertise
an illegal activity or an activity in violation of your ToS, then if you
have written your ToS properly, you are free to shut down said site (or
at least your portions of it) based on their violation of your ToS.


Well, yes, of course, which is why I suggested developing generally
agreed upon definitions and writing them into contracts.

One can't really write a useful contract if terms aren't well defined.



That’s not a business boycott because you didn’t conspire with their other
providers to shut it down, you took an independent action based on your
own ToS.


The issue arises if you shut them down when you're not the harmed or
involved party.


Not if they are using your service in a way that is contrary to the agreement
they have signed.


I don't know if one can write a ToS which says you will be shut down
if you harm another party utilizing another party's services but not
otherwise involving us. Well, you can write anything but is it lawful
and enforceable?


Probably not, but you wouldn’t do that anyway.

What you would write instead is that “You shall not use the service to
carry out attacks or other malicious activity, nor shall you use the
service to advertise, solicit, or contract to carry out such actions even
if the actions themselves are carried out independent of the service.”

You can, of course, prohibit any action you want on your network, even
if the prohibited action isn’t the actual objectionable action.


In some cases where that sort of thing has come up I've turned it into
a credit relationship which has greater leeway.

Something like:

 It has come to our attention that you are engaged in activities,
 even if not thus far involving our services, which might incur us
 legal fees. Consequently we require a deposit to cover those legal
 fees, in advance, of $10,000 [pick a number] with the understanding
 that any such legal fees will be billable in full even if above and
 beyond that $10,000 deposit. Since I extend you no credit a failure
 to provide that deposit by [date in the near future] will result in
 termination of services. Please feel free to contact us with any
 questions or concerns.


Here you risk running up against a claim that this new requirement
is a change to the ToS which they haven’t agreed to and which,
depending on how well they negotiated the contract may not be
enforceable until it comes time for contract renewal and you add
this deposit to the terms of the new contract.


but consult your attorney, state and local regulations and your own
ToS and corporate organization may affect how and whether you can do
that sort of thing or exactly how it has to be architected.


Always.


If one wants to one can include demand for indemnification with
evidence of ability to indemnify and/or business insurance policies
where you've been written in as a legitimate potential claimant for
legal fees and damages assuming the business insurance policy covers
that but as I said you need a lawyer to suss that out.


Sure, but it’s questionable whether the aggrieved party has any legitimate
claim against the hosting company that merely hosted the site that
advertised the DDOS service in question.

Much easier to just prohibit advertising such a service in the first
place, IMHO.


They probably could still fight with you over all that if none of it
was anticipated in your ToS (hint: might be something to add to a ToS,
reserving the right to...blah blah.) Or even try to perfect an
argument based on some theory of estoppel (you changed the conditions
in a way which harms me the client.)

More likely they'll ask for time and assistance to leave your service
(in my experience), generally what you actually wanted. Buh-bye!


Yep… Unless they’re starting to run out of options.


There’s fairly wide latitude to “reserve the right to refuse service to
anyone”, especially if you can show that their use of said service is
in violation of the contract(s) applicable to that service.


Yeah well as any lawyer will tell you relying on broad principles like
that rather than specifying covenants is just asking for legal fees :-)


Sure, but my point is that specifically spelling out certain actions that
you refuse to provide service to is usually the easiest way to terminate
someone for committing such actions on your service.

Owen





Owen


On Jul 29, 2016, at 12:36 , bzs () theworld com wrote:


Unfortunately that raises the issue of what's generally termed in law
a "business boycott" which is at least tortiable if not illegal.

The grocer can't agree with your landlord not to sell you food until
you catch up on the rent.

They can agree to use this information to refuse you credit but even
that's quite constrained by law even if often done anyhow. And that's
a credit relationship so different.

I went over this with my attorney when another ISP asked me to shut a
customer's account down because they were spamming them from a third
ISP's account.

I asked to look at the emails (spam) in question and none originated
at our site. The acct in question on my site didn't do anything
problematic that I could find.

My lawyer explained the above to me: You can't do that, business
boycott.

The other ISP (specifically a sysadmin) who'd asked me to shut the
acct got so angry at this response, he took it all very personally and
unprofessionally, that I had to bring in his own legal dept to explain
this to him which he of course took as a further affront. It got ugly
but you don't need the details.

That's the problem with all this folksy armchair "law", it's often
very bad advice and based on the assumption that the law must agree
with one's emotional feelings. Good luck with that.

On July 29, 2016 at 08:08 rsk () gsp org (Rich Kulawiec) wrote:

On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:

If we want to be accurate about it, Cloudflare doesn???t host the DDoS,
they protect the website of seller of the product. We shouldn???t be
de-peering Cloud Flare over sites they protect any more than we would
de-peer GoDaddy over sites they host, some of which, no doubt, sell
gray/black market/illegal items/services.


This strategy fails for two reasons.

First, nobody gets a pass.  Anybody providing services to abusers
needs to cut them off, whether it's a registrar, a web host, an email
provider, a DNS provider, or anything else.  Nobody gets to shrug it
off with "Well, but..."

Second, nobody *can* get a pass, because the people behind these operations
have long since learned to distribute their assets widely -- in an attempt
to avoid exactly the actions in the first point.  And you know what?
It works.  "We're just hosting their email", says X, and "We're just
hosting their DNS", says Y, and "We're just hosting their web site",
says Z, and none of them do anything, and nothing gets done. 

The only way to make action against them effective is to do it broadly,
do it swiftly, and do it permanently.

---rsk


-- 
      -Barry Shein

Software Tool & Die    | bzs () TheWorld com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*




-- 
       -Barry Shein

Software Tool & Die    | bzs () TheWorld com <mailto:bzs () theworld com>             | http://www.TheWorld.com 
<http://www.theworld.com/>
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*
Previous By Date Next
Previous By Thread Next

Current thread: