Dynamic IP log retention = 0?

William Allen Simpson william.allen.simpson at gmail.com
Wed Mar 11 09:42:14 CDT 2009


Brett Charbeneau wrote:
>     I've been nudging an operator at Covad about a handful of hosts from 
> his DHCP pool that have been attacking - relentlessly port scanning - 
> our assets. 

Port scanning is rather common, and shouldn't be considered "attacking" --
unless it's taking a significant amount of bandwidth.

The latter is a Denial of Service (DoS) attack, and should be reported as
such.  I understand that a library might have limited bandwidth.

Often port scanning is followed by an actual attack, ssh attempts, etc.
That's what should be reported.


> ...  I've been informed by this individual that there's "no way" 
> to determine which customer had that address at the times I list in my 
> logs - even though these logs are sent within 48 hours of the incidents.

Now that's just odd, and probably the "operator" at Covad simply doesn't
have access to the logs.

DHCP should be logged.  In my experience, the usual practice is to keep
the logs for 3 days, or until the log files roll over.


>     Does one have to get to the level of a subpoena before abuse teams 
> pull out the tools they need to make such a determination? Or am I naive 
> enough to think port scans are as important to them as they are to me on 
> the receiving end?
> 
While I applaud your taking security seriously, and your active monitoring
of your resources, other folks might be handling huge numbers of Conficker,
Mebroot, and Torpig infections these days.  So, they might be rather busy.

Are your library systems all clean?

You don't seem to have your own ARIN allocation for wrl.org, so it's kinda
hard to tell from here....

AS      | IP               | AS Name
4565    | 66.200.204.71    | MEGAPATH2-US - MegaPath Networks Inc.





More information about the NANOG mailing list