Dynamic IP log retention = 0?
Brett Charbeneau
brett at wrl.org
Wed Mar 11 13:34:18 UTC 2009
I've been nudging an operator at Covad about a handful of hosts from his
DHCP pool that have been attacking - relentlessly port scanning - our assets.
I've been informed by this individual that there's "no way" to determine which
customer had that address at the times I list in my logs - even though these
logs are sent within 48 hours of the incidents.
The operator advised that I block the specific IP's that are attacking
us at my perimeter. When I mentioned the fact that blocking individual addresses
will only be as effective as the length of lease for that DHCP pool I get the
email equivalent of a shrug.
"Well, maybe you want to ban our entire /15 at your perimeter..."
I'm reluctant to ban over 65,000 hosts as my staff have colleagues
all over the continental US with whom they communicate regularly.
I realize these are tough times and that large ISP's may trim abuse team
budgets before other things, but to have NO MECHANISM to audit who has what
address at any given time kinda blows my mind.
Does one have to get to the level of a subpoena before abuse teams pull
out the tools they need to make such a determination? Or am I naive enough to
think port scans are as important to them as they are to me on the receiving
end?
--
********************************************************************
Brett Charbeneau, GSEC Gold, GCIH Gold
Network Administrator
Williamsburg Regional Library
7770 Croaker Road
Williamsburg, VA 23188-7064
(757)259-4044 www.wrl.org
(757)259-4079 (fax) brett at wrl.org
********************************************************************
More information about the NANOG
mailing list