One of the main purposes of PlanetLab is to enable research into new Internet technology. Frequently, researchers will deploy technologies on PlanetLab that use the Internet in new ways. As a result, PlanetLab network traffic is sometimes viewed as anomalous by automated Intrusion Detection Systems (IDSs), which may trigger alerts. If an alert is interpreted as a security threat by a system administrator or IDS, a complaint may be lodged against your site or other PlanetLab hosting sites.
Recent security incidents, and their resolution, are listed below:
DMCA take-down notice
Date: 28 August 2009
Description: Several PlanetLab sites reported receiving copyright infringement notices from the Video Protection Alliance.
Explanation and Resolution: This was a false positive. There was no copyrighted material on any PlanetLab node. We deterimined that CoralCDN was relaying Bittorrent 'tracker' URLs that tracked all of the copyrighted data reported in the complaints. Tracker URLs are web pages that contain a list of locations at which a certain Bittorrent file can be found. No content was cached or hosted on PlanetLab nodes, and no PlanetLab nodes were being advertised as serving such data. All CoralCDN was doing was to efficiently relay Bittorrent meta-data. CoralCDN has since blacklisted the actual tracker (denis.stalker.h3q.com), and PLC is communicating with the VPA to get them to stop forwarding DMCA notices to PlanetLab sites.
More details: Please refer to first support message (PDF)
and second support message (PDF) for more information.
Wiki Spam
Date: 8 January 2009
Description: PlanetLab Operations team was notified that some spam web pages were created from IP addresses traced to PlanetLab nodes. Traffic was identified to be related to an experiment from Brown University.
Explanation and Resolution: This is a violation of the PlanetLab Acceptable Use Policy, the slice has been disabled. The researcher will not run the experiment outside their own netspace.
More details: Please refer to this support message (PDF).
Distribution of copyrighted material on a BitTorrent experiment
Date: 28 November 2008
Description: A slice from Columbia University was running BitTorrent and participated in the distribution of copyrighted material, including those from Columbia Pictures. A few sites alerted PlanetLab Operations team and the slice was immediately suspended for investigation.
Explanation from Researchers: This is purely experimental and is used to study BitTorrent networks rather than in trying to promote illegal copyrighted file distribution.
Resolution: This is likely a violation of the PlanetLab Acceptable Use Policy, the slice has been disabled and the researcher will need to redesign the experiment.
Email spoofing / password phishing
Date: 12 November 2008
Description: A PlanetLab site/service has been suspected of displaying false ebay.com pages.
Explanation from Researchers: CoralCDN service is not involved in phishing scam. It operates as a semi-open free webcache/CDN that you simply need to modify a URL to access (ebay.com becomes ebay.com.nyud.net).
Resolution: Ebay.com has removed a site from their database as being a suspect phishing/fraudulent site a few months ago (an agent may have entered the site by error). Ebay.com is being asked to whitelist CoralCDN so that this will not cause any false alarm in the future.
More details: Please refer to this support message (PDF).
Distribution of copyrighted material on a BitTorrent experiment
Date: 29 July 2008
Description: A slice allocated to NTHU deployed BitTorrent and participated in the distribution of copyrighted material, including Warner Bros. "Dark Knight" movie. As a consequence of Princeton's compliance officer being contacted, PlanetLab Operations team learned of the situation and immediately suspended the slice.
Explanation from Researchers: They wanted to evaluate the performance of a proposed BitTorrent cache system, and so they joined some popular BitTorrent swarms to operate under realistic conditions.
Resolution: This is clearly a violation of the PlanetLab Acceptable Use Policy. The site has since been disabled, and the PI will need to appeal to the PlanetLab Consortium to have it re-enabled. A message (PDF) has been sent to all PIs and Tech contacts regarding this incident.
Traffic on SMTP ports by google_highground slice
Dates: May - June 2008
Description: Some users have questions on SMTP scanning from this experiment (google_highground slice).
Explanation from Researchers: Traffic is from a "SMTP survey" experiment (http://smtpsurvey.stillhq.com/). It however doesn't send any mail, just connects on port 25, logs the tatus message and a few other details, and disconnects.
Resolution: Affected IPs to be excluded can be sent to the researcher, to be added to a blacklist.
Example support email message (PDF)
DNS zone transfers by tudresden_sedns slice
Dates: April 2008
Description: DNS zone transfers (AXFRs) created by this experiment (tudresden_sedns slice) have triggered security complaints.
Explanation from Researchers: This is a content distribution research project in the DNS namespace. In order discover those CDNs, they are using an in-house developed crawler/spider system that gathers DNS data through AXFRs (zone transfers) and similar approaches. (Research team's website).
Resolution: Responsible researchers will black list affected DNS server(s) when needed.
Example support email message (PDF)
Suspicious bittorrent activities by umass_bittorrent slice
Dates: Feb - Mar 2008
Description: This experiment (umass_bittorrent slice) has triggered some security alert messages from BayTSP, Inc.
Explanation from Researchers: No copyrighted material are being downloaded, these are monitoring status messages
Resolution: BayTSP, Inc was given a script to learn the current set of nodes and has agreed to white list PlanetLab nodes to avoid such situations in the future.
Example support email message (PDF)
Traffic on DNS servers by princeton_traffic slice
Dates: Dec 2007 - Feb 2008
Description: This experiment (princeton_traffic slice) created requests to DNS servers that raised concerns from some users.
Explanation from Researchers: The experiment probes DNS caches to try to estimate the rate of web traffic to different websites.
Resolution: Affected IPs to be excluded can be sent to the researcher, to be added to a blacklist.
Example support email message (PDF)