Dynamic IP log retention = 0?

Darden, Patrick S. darden at armc.org
Wed Mar 11 08:46:41 CDT 2009


I think your next step is your lawyer.  Put all your missives, your
email, your phone conversations, your logs, your auditing results, your
detection troubleshooting and sleuthing trails etc. in a folder, create
a one page summary including any damages you feel might have been caused
(e.g. time, effort, and money spent on this so far) and a timeline, and
make an appointment with your lawyer.

--Patrick Darden
 

-----Original Message-----
From: Brett Charbeneau [mailto:brett at wrl.org] 
Sent: Wednesday, March 11, 2009 9:34 AM
To: nanog at nanog.org
Subject: Dynamic IP log retention = 0?


 	I've been nudging an operator at Covad about a handful of hosts
from his DHCP pool that have been attacking - relentlessly port scanning
- our assets. 
I've been informed by this individual that there's "no way" to determine
which customer had that address at the times I list in my logs - even
though these logs are sent within 48 hours of the incidents.
 	The operator advised that I block the specific IP's that are
attacking us at my perimeter. When I mentioned the fact that blocking
individual addresses will only be as effective as the length of lease
for that DHCP pool I get the email equivalent of a shrug.
 	"Well, maybe you want to ban our entire /15 at your
perimeter..."
 	I'm reluctant to ban over 65,000 hosts as my staff have
colleagues all over the continental US with whom they communicate
regularly.
 	I realize these are tough times and that large ISP's may trim
abuse team budgets before other things, but to have NO MECHANISM to
audit who has what address at any given time kinda blows my mind.
 	Does one have to get to the level of a subpoena before abuse
teams pull out the tools they need to make such a determination? Or am I
naive enough to think port scans are as important to them as they are to
me on the receiving end?

--
********************************************************************
Brett Charbeneau, GSEC Gold, GCIH Gold
Network Administrator
Williamsburg Regional Library
7770 Croaker Road
Williamsburg, VA 23188-7064
(757)259-4044          www.wrl.org
(757)259-4079 (fax)    brett at wrl.org
********************************************************************






More information about the NANOG mailing list