Dynamic IP log retention = 0?

Joe Greco jgreco at ns.sol.net
Sat Mar 14 02:42:04 CDT 2009


> Joe,
> 
> I'll respond to you and this will be my last reply to this thread because
> I know I won't be able to change your mind.

Yes, it's clear *you* won't be able to.

> Saying a company's business
> decisions are antisocial just because they aren't doing you want is very
> unhelpful. 

Well, then, it's good that that's not what's happening.  There are lots of
things I would want a business to do that most of 'em aren't doing.  We
aren't talking about any of those things.  We're talking about something
that is commonly understood to be a bad thing, bad enough that most AUP's
explicitly forbid it.

> I don't know how many large ISPs you have worked for but I'm
> not sure if you understand corporate budgets or politics.

I have worked for large ISP's, I understand corporate budgets and politics,
and I'm smart enough to understand that "corporate budgets and politics" do
not define what is acceptable within the framework of the Internet.  Were
"corporate budgets and politics" to define that, we'd be likely to see a
balkanized, spam-riddled ghost-of-what-used-to-be-the-Internet where the
potential for making a buck defines what is right and what is wrong.

Modern corporations are responsible to their shareholders, and many people
feel this gives them a free pass.  Staffing an abuse desk and reducing
these sorts of emissions would seem to be more costly, and certainly there
are people who cut corners on their abuse departments in order to save a
buck, but the point is that this ultimately results in greater costs
further out, when your network is riddled with problems, and your upstreams
and peers are applying pressure to you to stop the DDoS attacks coming from
your network.  Regardless, many companies follow that path, in search of
"better performance this quarter."

We've seen it all before, and we'll see it all again.  Eventually it gets
bad enough that either your policies cause you to fold (AGIS, etc), or
you're forced to clean up.

More enlightened companies can take a longer view, and they'll realize
that a well-run network is actually a valuable asset.

> If you consider people who port scan the bad guys of the internet then
> obviously you and I are two different planes of reality. 

Clearly.  Because the people who port scan are the people who are breaking
into boxes (whether manually or automatically), and the people who are 
breaking into boxes are generally people with no good intent.  If you think
these are "good guys," you definitely *are* on a different plane of
reality.

> I had a
> discussion today with someone who I immensely respect where I talked about
> port scanning and how people compare it to trying to break in to someone's
> house. He disagreed and said that port scanning was like being a part of
> the neighborhood watch and that trying to exploit any vulnerabilities you
> find would be an attempted break in, I have to agree.
 
Random port scanning is not like "the neighborhood watch."  Neighborhood 
watches are set up by a neighbor you know, and presumably trust, and even
if they have a ridiculous policy of testing doorknobs, they will respect 
it if you tell them you don't want to participate.  Some ISP's fulfill this
role by proactively scanning their own IP space for vulnerable machines.
They'll tell you your box is hackable, or maybe even sandbox you.  That's
equivalent to a neighborhood watch.

What you're defending is some guy in a ski mask who comes in and visits
each house, testing all the doors and windows to see if they open, and who
makes note of vulnerable houses.  Maybe he then leaves, maybe he then breaks
into a house.  Even if he leaves, he's leaving with knowledge of insecure
houses, and we know that this knowledge is not going to be put to a
*positive* use.  How you can possibly equate this to a "neighborhood watch"
is beyond me.  

> As for your second point of comparing port scanning to the heinous crimes
> of rape I'll just ask, "have you lost your damn mind"? 

No, of course I haven't, but then again I didn't make such a comparison.
I did say "they're much worse."  You might want to go back and re-read
that little exchange, as you clearly didn't comprehend what I was saying.

> Seriously, port
> scanning a machine compared to the horrid act of abusing someone sexually?
> Seriously, what will be your next analogy, pedophiles are the same as file
> sharers?

Seriously, try reading for comprehension.

> Port scanning can be a method to find vulnerabilities indeed but what of
> those of us who port scan before we use certain services? 

Scanning a machine that you're authorized to access is not at issue here.

> I often scan
> certain hosts before I use them to make sure they don't have gaping
> vulnerabilities, should I go to jail? 

See above.  And below.

> The op said nothing about an attack but only a scan, so don't go there.

Ah ha.

See, you've just tried to equate your scanning of some machine that you
are authorized to use, with what the original poster was complaining
about, which was relentless scans by an unauthorized party, where the
responsible party actually explicitly requested that such scans stopped.

You're trying to make a case that the second case is acceptable because
the first is?

You're showing yourself as being unable to argue your way out of a paper
bag.

> Your idea of operations seems simple because you have the black and white
> barrier, there is no gray for you.

The hell you say.

> Some of us actually have a larger userbase and very small budgets. 

Your budget is a choice.  Maybe not your choice personally, but a choice
by someone, regardless.  Choices have consequences.  Maybe not immediately,
but eventually.  The ability to see (and ideally, to harness) the long-term
effect of your choices is generally what differentiates most of the
successful companies that I've seen.

> Now I'll say that the company I work for
> goes after network abusers vigorously. To say that port scanners are
> miscreants and abusers is your view.

Hm.  Well, even dodgy providers like SAVVIS recognize port scanning as
a problem:

http://www9.savvis.net/corp/Acceptable%20Use%20Policy

Section B subsection 2:

"including any activity that typically precedes attempts to breach 
security such as scanning, probing, or other testing or vulnerability 
assessment activity,"

So, um, who exactly is it that you work for, I'd love to check out their
AUP (tfic).

> I think everyone wants to stop botnets and exploits from spreading but
> Joe, people don't have to answer to you just because you feel that you are
> privileged because you have a role in the internet. 

You seem to be attributing to me something I didn't say.

> Scanning and attacks
> are two different things and I hope you realize this. 

One could reasonably say that one is a lesser form of the second.  When
someone is doing something that is clearly and unambiguously "casing the
joint," and isn't authorized to be doing so, that could reasonably be
construed as an attack.  From afar, you have no way to determine whether
or not your unauthorized traffic has the potential for costing my site
more (maybe I'm on the far end of a really expensive circuit), or maybe
interfering with normal operations (overloading syslog reporting due to
heavy firewall rejections), etc.  You have no idea what effect scanning
has on a remote machine, and if you have no business doing it, assuming
that it can't be perceived as an attack and that it won't cause problems 
is naive.

> If a host on my
> network is attacking a host on yours I'm sure we will work to stop it
> quickly. If you demand that I turn over the person who scanned you last
> night at 12:52 am I may ignore you.

Of course, neither I nor the original poster made any such demand.  The
original poster simply wanted Covad to "make it stop," which would seem
to be a fairly reasonable request.

> I wish you the best of luck against your crusade against the evil of port
> scanning.

Since it's "okay" to do that, why don't you post your employer's IP ranges
along with an official invitation for NANOG'ers to scan those ranges?

Geez.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list