Dynamic IP log retention = 0?

Ross ross at dillio.net
Thu Mar 12 07:25:16 UTC 2009

How did a simple thread about network scanning get so derailed....we have
people talking about the legal implications of port scanning, hiring
lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of
NAT as a security policy, etc. Wow just wow.

I'll try to answer you in a more common sense approach as some have tried
to do. First of all no network operator has to hand over their logs or
user information over to you just because you want to know. You can ask
their abuse department to intervene but that is all up to that department.
They may have told you they don't have them just because they didn't want
you pestering them anymore or they may really not have them, who knows.
Don't try to judge them but try to fix this very minute problem in a way
you can control.

The ways you can control this are simple.

1) Block all of covad (not very smart)
2) Block all of covad except for essential ports (25,80,443 or whatever
other common ports they may need)
3) Setup a perimeter protection that blocks hosts that are scanning you
and removes them after a determined amount of time

This trying to shun people in public because they aren't following your
guide to network administration probably isn't going to work very well for
you. If 65000 covad addresses were ddosing you then I would agree that you
have a legitimate gripe but focus on what you can control and not what you
believe others should be doing.

ross [at] dillio.net

>  	I've been nudging an operator at Covad about a handful of hosts from his
> DHCP pool that have been attacking - relentlessly port scanning - our
> assets.
> I've been informed by this individual that there's "no way" to determine
> which
> customer had that address at the times I list in my logs - even though
> these
> logs are sent within 48 hours of the incidents.
>  	The operator advised that I block the specific IP's that are attacking
> us at my perimeter. When I mentioned the fact that blocking individual
> addresses
> will only be as effective as the length of lease for that DHCP pool I get
> the
> email equivalent of a shrug.
>  	"Well, maybe you want to ban our entire /15 at your perimeter..."
>  	I'm reluctant to ban over 65,000 hosts as my staff have colleagues
> all over the continental US with whom they communicate regularly.
>  	I realize these are tough times and that large ISP's may trim abuse team
> budgets before other things, but to have NO MECHANISM to audit who has
> what
> address at any given time kinda blows my mind.
>  	Does one have to get to the level of a subpoena before abuse teams pull
> out the tools they need to make such a determination? Or am I naive enough
> to
> think port scans are as important to them as they are to me on the
> receiving
> end?
> --
> ********************************************************************
> Brett Charbeneau, GSEC Gold, GCIH Gold
> Network Administrator
> Williamsburg Regional Library
> 7770 Croaker Road
> Williamsburg, VA 23188-7064
> (757)259-4044          www.wrl.org
> (757)259-4079 (fax)    brett at wrl.org
> ********************************************************************

More information about the NANOG mailing list