Interesting note. I wonder where's the cutoff - when exactly does "opening connections" become "abusing the network" - two connections? Two dozen? A thousand?
I always assumed network data is network data. I don't see the difference between sending millions of packets of data to stream a video and to scan a network. The only difference is the intention - does that mean the act of learning someone's open ports is what's considered abuse? Or is it consent - the fact that you're learning about open ports that the server owner doesn't want you to know about?
> You may not use, or facilitate or allow others to use, the Services or the AWS Site ... to violate the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device;
There's no cutoff because it's not about the number of connections; you could conceivably violate this policy with a single connection, and you could be in compliance with a million connections. Note the term "unwarranted" in OP's post.
Assume we're not talking about nmap (since it's widely known as a hacker tool which may muddy the waters), but instead of a user-written program that e.g. checks for open ports. If a port is open to the public internet, what exactly makes a connection to it "unwarranted"?
As for the AWS rule, scanning open ports does not violate, by itself, any of those things.
I have no idea how AWS defines it, but to my mind it's about two things: intent and impact.
Intent: What is the connection's purpose? To use a service, to map a topology, to identify potentially vulnerable targets, to consume resources?
Impact: How does the act of connecting (once or many times) affect the remote end of the connection? Is a critical resource being exhausted (network connections, cpu, memory, etc)? Is the remote end's service still available for its intended purpose?
There's no magic spot on the scales but the further you get away from "to use the service" on the Intent scale and "no detectable impact" on the Impact scale, the more trouble you're likely to run into.
What activity constitutes abuse is at the discretion of the provider. If it looks like abuse to them, then it is.
You're looking for a line in the sand (for whatever reason) but no provider will give one, nor should they. Because that would mean telling attackers how to get close to the line without going over it.
I do a lot of nmap scanning for fun and out of curiosity. I pick a site and check out what ports they have open on the server behind their domain. Never did any attacks nor do I intend to.
I'm asking questions to widen my understanding of how and why I might get in trouble for it.
I understand you're trying to get a concrete definition of "network abuse", but you won't find one. It's not really possible to create a concrete definition that won't somehow include legitimate user traffic.
And I know, now you want to define "legitimate user traffic".
The problem is that the expectation for such strictly defined terms is what leads to legalese that's impossible for anyone that isn't a lawyer to understand.
>As for the AWS rule, scanning open ports does not violate, by itself, any of those things.
Several years ago (so things may be different now), I snagged a free-tier (IIRC, it was free for six months or something like that) AWS instance specifically to battle-test my new firewall and config.
Within an hour of beginning tests, I received a notification from AWS asking me why I was doing port scans/etc. and that they wanted me to stop or I'd be kicked off.
I replied and documented that I was testing my own systems/networks and they backed off. I completed my testing and never heard anything from them after that.
Like I said, this was a few years ago (2019, I think), so things may be different now, but back then AWS was definitely proactive about this stuff.
> violate the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device
A normal port scan does none of these things. Unless you have some really crappy equipment (I've seen routers choke on a SYN scan), but in my opinion then that's on you.
In my experience, the detection software is looking for patterns of behavior, not just how many connections get opened.
> the act of learning someone's open ports is what's considered abuse?
Yes, port-scanning a system without the permission of the owner of the system is widely considered abuse. It's conceptually similar to going to an apartment building and knocking on every door to see who's home and who's not.
The act itself isn't very harmful (my home firewall is basically always getting portscanned by somebody or another), but in practice, the reason it's done is as preparation for a more serious attack.
Solicitors aren't generally welcome, either, but at least they aren't (usually) casing the place. And lots of people consider the practice of door-to-door solicitation to be abusive, too.
The cutoff is "they are getting abuse reports about the IP the machine you rent uses". Most providers (at least looking at my fail2ban lists...) don't give a shit about anything less
> The cutoff is "they are getting abuse reports about the IP the machine you rent uses". Most providers (at least looking at my fail2ban lists...) don't give a shit about anything less
That was my guess as well. For example, I send about half a dozen emails every day but they are all coming to me and nobody else so I just assumed that it should be ok because the only person I am spamming is myself :)
Depending on the provider, it may be as minimal as "when they get abuse complaints" or they may have proactive detection. Larger providers are more likely to have proactive measures. These can range from sort of incidental things like alerting on significant increases in size of the connection tracking table at a router or firewall, often caused by opening a very large number of connections on different ports as in port scanning... but could go up to a network intrusion detection system.
For incoming traffic I don't really care. The vast majority of such traffic is automated systems like bots and scripts looking for low hanging fruit to compromise. It is fine to run a low-level watchdog that throws a temporary source block on the firewall when it detects this traffic, but this is mainly to keep people happy (omg we're under attack!!!!) and keep the logs less cluttered. It doesn't do much to contribute to actual network security. Most real threats are going to be smarter than that. You should already be running your own scans, anyway, so you'll know if there's a problem.
If a scan is spotted in outgoing traffic, I would be concerned that there was a dumb bot of some kind running inside the network.
In the case of a service provider network, they want to make sure they are not facilitating criminals, either directly as their customer, or by hosting compromised systems.
A serious, targeted attack won't use an aggressive nmap type scan, but plenty of low effort malware scripts and bots will.
I always assumed network data is network data. I don't see the difference between sending millions of packets of data to stream a video and to scan a network. The only difference is the intention - does that mean the act of learning someone's open ports is what's considered abuse? Or is it consent - the fact that you're learning about open ports that the server owner doesn't want you to know about?