Dynamic IP log retention = 0?

Neil kngspook at gmail.com
Sat Mar 14 08:12:53 UTC 2009


On Wed, Mar 11, 2009 at 6:34 AM, Brett Charbeneau <brett at wrl.org> wrote:

>        I've been nudging an operator at Covad about a handful of hosts from
> his DHCP pool that have been attacking - relentlessly port scanning - our
> assets. I've been informed by this individual that there's "no way" to
> determine which customer had that address at the times I list in my logs -
> even though these logs are sent within 48 hours of the incidents.
>        The operator advised that I block the specific IP's that are
> attacking us at my perimeter. When I mentioned the fact that blocking
> individual addresses will only be as effective as the length of lease for
> that DHCP pool I get the email equivalent of a shrug.
>        "Well, maybe you want to ban our entire /15 at your perimeter..."
>        I'm reluctant to ban over 65,000 hosts as my staff have colleagues
> all over the continental US with whom they communicate regularly.
>        I realize these are tough times and that large ISP's may trim abuse
> team budgets before other things, but to have NO MECHANISM to audit who has
> what address at any given time kinda blows my mind.
>        Does one have to get to the level of a subpoena before abuse teams
> pull out the tools they need to make such a determination? Or am I naive
> enough to think port scans are as important to them as they are to me on the
> receiving end?
>
>
I think you are being a little naive.  Port scans, while possibly used for
malicious ends, can very often be benign.  I've port scanned netblocks for
such trivia such as the IP of the printer which I forgot to scribble down.
(Naturally, this doesn't explain your situation of scanning from another
ISP, but you get the idea (I hope).)

As William pointed out, it's the things that follow that determine whether
someone's being bad.  To flag port-scans might be responsible, but I think
pursuing legal action over it would be the exact opposite.  Wait until
someone demonstrates true maliciousness before trying to punish them, rather
than bringing the heat merely because they've demonstrated the potential for
maliciousness.

This is almost akin to attacking someone because they're carrying a gun:
sure, the gun gives them the potential to do bad things, but it often enough
is innocent. (Political agendas aside...)



More information about the NANOG mailing list