Dynamic IP log retention = 0?
Bobby Mac
bobbyjim at gmail.com
Fri Mar 13 18:57:56 UTC 2009
Just wondering but the knowledge I have of DHCP is that an IP address is
assigned to the same computer (or host) and will continue to do so until the
pool of IP's is exhausted. Once that occurs, a new request is parsed by
the DHCP server and the oldest non-renewed lease address is checked to see
if it is live. If no response occurs then the DHCP server assigns that IP
to the requesting host. It's much more efficient to write once and check
that then it is to write everytime.This is done to save resources on the
DHCP server not much unlike the cache on a DNS server. Every look up does
not travers the root servers and the auth server, only those that have
expired cached entries. Wouldn't it create a DOS against the DHCP server if
every host constantly required the server go through the aformentioned
process? It does whit in DNS. Change the expire to 2 and the ttl to 2 and
see what happens. This did happen for boxsports dot com (what rhymes with
box? not sure of the legalities around saying the name). An SA, while
trouble shooting, did just that and about 1 month later BOOM! crap hit the
fan. It appearedd as though our DNS auth servers were being DOS'd but all
requests were legit. The entry was not cached.
That said, unless Covad is constantly exhausting it's pool or they mandate
that after the lease expires to give a different IP a reverse lookup would
give you the hostname of the offender which should remain accurate for some
amount of time. No action on Covads part constitutes legal action on yoru
part...
-Bobbyjim
On Fri, Mar 13, 2009 at 8:53 AM, Joe Greco <jgreco at ns.sol.net> wrote:
> > On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco <jgreco at ns.sol.net> wrote:
> > > > Well most port scanning is from compromised boxes. Once a
> > > > box is compromised it can be used for *any* sort of attack.
> > > > If you really care about security you take reports of ports
> > > > scans seriously.
> > >
> > > Yeahbut, the real problem is that port scanning is typically used as
> > > part of a process to infect _other_ boxes. If you allow this sort of
> > > illness to spread, the patient (that is, the Internet) doesn't get
> > > better.
> >
> > Port scanning is the Internet equivelant of the common cold. They're a
> dime
> > a dozen.
> >
> > I recommend taking some Vitamin B and D. Block, and Drop.
>
> No, it's more comparable to the jerk who not only doesn't stay at home
> with his cold, but actively walks around the workplace coughing and
> sneezing without covering his mouth/nose with a kleenex, spraying people.
>
> The reality is that it fails the "if everybody did this, would it be a
> good thing" test. While some "B&D" is common sense on the receiving end,
> this does not make it any more correct for the originating site to let it
> keep happening. If every PC on the Internet (conservatively, let's
> assume a billion devices that are sufficiently sophisticated that they
> could be infected) were to send you a single packet per day, you'd be
> seeing over 10,000pps. That should suggest that the behaviour is not
> something to be encouraged.
>
> My locking my doors does not mean it's okay for you to check if my door
> is locked.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then
> I
> won't contact you again." - Direct Marketing Ass'n position on e-mail
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many
> apples.
>
>
More information about the NANOG
mailing list