Layered Technologies

Layered Technologies are a hosting company in Texas. Their prices are certainly competitive for low-end servers with up to a capacity of 1000GB/month throughput. This makes them ideal for hosting a Tor service, which is what I did after checking with them that Tor was an acceptable service to run. That was in May of 2005 and all went well until this morning when I received the following email from them:

Subject: Policy Enforcement of at 72.21.33.202 for IRC Malicious

NOTES: I have attached a template at the end of this message to assist in searching for exploits on this server.
paulchenp is ~aa@72.21.33.202 abc

This is a Policy Enforcement Notice that your server has violated our Acceptable Use Policy available at http://www.layeredtech.com/aup.shtml. Please refer to the attached complaints+and/or logs of abuse. If you believe we have traced this issue to you erroneously, our staff will investigate the issue further.

IT IS YOUR RESPONSIBILITY TO REMOVE ALL DOMAINS, USERS, AND CONTENT CAUSING THIS ABUSE ISSUE AND TO INVESTIGATE ANY MISCONFIGURED, INFECTED, OR UNAUTHORIZED USE OF SOFTWARE.

PENDING YOUR REQUIRED REPLY WITH YOUR COMMENTS, QUESTIONS, OR ACTIONS TO RESOLVE THIS ISSUE, THE SERVER IS:

[] Monitored for Additional Violations
[] Accessed for Investigation, Cleaning, Hardening, or Securing
[x] Disconnected in: [] 24-Hours [x] 12-Hours [] 6-Hours [] 1-Hour [] 0-Hours

This is edited down as the original email is huge, containing details of their policies and suggestions for dealing with malware. Their email also contained the abuse report that triggered the issue:-

I found these suspicious looking connections on the Undernet IRC Chat Network connecting from a netblock you control ( 72.21.32.0/19 ). They were mostly connecting to the servers that irc.undernet.org resolves to, most likely on port 6667. Other possible ports include 6660-7000, 8888, and 8080.

Please check for a compromise, possible hidden process running and an altered process listing.
Run the updates for your system to close possible exploit holes, and send any unusual programs found to info@cyberabuse.org for investigation.

This email is being cc\’d to our abuse department for record-keeping.

Thank you for your cooperation.

Regards,

Abuse
Undernet IRC Network

Undernet’s email went on to list a huge range of Layered Technologies connections to their services. I’m not sure what appears “suspicious” about them, they are just IRC connections so far as I can tell. The only one listed against my server was:

paulchenp is ~aa@72.21.33.202 abc

Okay, so it seems that Undernet weren’t really complaining directly about my service, just pointing out to Layered Technologies that there were a number of “Suspicious looking connections” to their IRC service. I responded to Layered Technologies:

Hi there,

My server [account number] isn’t providing any IRC services. It runs a Tor server (http://tor.eff.org) which allows it to participate in a chain of connections which could relay IRC for Tor clients.

Undernet currently seem to have no abuse control system beyond IP address blocking. Perhaps until they resolve this, the best solution would be for me to block any Tor relaying to their networks. Would this be acceptable to Layeredtech?

Regards
Steve

Which resulted in an instant response of:

IRC servers or relays are not allowed on our network except when approved in advance through the abuse department. The abuse control system of undernet is not the issue. Your server is not permitted to make such IRC connections. You are responsible for all abuse which occurs from your IP which includes any such relay connection.

Remove the Tor relay of IRC and reply to confirm you have done this.

This curt little email seems to say a lot of things in a very ambiguous manner. It states that IRC servers are not allowed on their network. No problem there, I’m not running one. It also says that relays are not allowed which presumably means IRC relays in the context it is written. I can’t find any reference to this in their AUP but like all US legal statements, it’s enourmous and says everything and nothing.

The clincher for me is that it states I am responsible for any abuse that occurs through my IP. Wow, that’s a biggie! I run a number of services, such as News, Mail, IRC and HTTP and it’s probably safe to say that all of them relay abuse. In the case of a News server, it does very little other than relay rants between waring Usenet factions. Mail is flooded out with spam and abuse which my services eagerly relay to me. Need I go on? Just about any service I could possibly provide is vulnerable to relaying abuse, all of which it seems Layered Technologies will hold me accountable for. This is a ridiculous policy for a company providing dedicated server hosting. What do they expect their clients to do with them?

I responded to Layered Technologies and confirmed that I’d shutdown IRC relaying:

The IRC relay has now been completely blocked from this server.

Being forced to take this action is dissappointing. I made it very clear to Layeredtech sales what I intended to use this server for prior to taking out the contract last May. They stated that running a Tor service was not a problem.

The response to this was:

Running Tor itself is not the problem. Running a service allowing IRC or relaying IRC is the problem. IRC is expressly forbidden by our Acceptable Use Policy. Any approval to run an IRC server or otherwise relay IRC must be specifically approved by abuse department as it is contrary to our Acceptable Use Policy. Even if we approved such an IRC server or relay, any abuse of such service would violate our policy. This server used IRC or relayed IRC which caused this abuse issue and is the reason we now require removal of the IRC or disabling of the IRC relay service. If you can run Tor without it allowing any IRC connections outside of our network, then you are allowed to do that.

I am closing this issue at this time.

Layered Technologies have no objection to people running services such as Tor, providing they don’t allow IRC relaying. I guess that’s fair enough and I’ll not take the issue any further. It’s strange though that a dedicated server hosting company completely folded and blamed its client at the first abuse complaint they received. I suspect that if the next complaint concerns email, they will find something in their voluminous AUP that covers such an eventuality and demand I close it down. Time will tell.

1 comment

Leave a comment