nanog mailing list archives
Dynamic IP log retention = 0?
From: Brett Charbeneau <brett () wrl org>
Date: Wed, 11 Mar 2009 09:34:18 -0400 (EDT)
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug.
"Well, maybe you want to ban our entire /15 at your perimeter..." I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly.I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
-- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett () wrl org ********************************************************************
Current thread:
- Dynamic IP log retention = 0? Brett Charbeneau (Mar 11)
- RE: Dynamic IP log retention = 0? Darden, Patrick S. (Mar 11)
- RE: Dynamic IP log retention = 0? Jon Lewis (Mar 11)
- Re: Dynamic IP log retention = 0? Joe Abley (Mar 11)
- Re: Dynamic IP log retention = 0? Steven M. Bellovin (Mar 11)
- Re: Dynamic IP log retention = 0? Alec Berry (Mar 11)
- Re: Dynamic IP log retention = 0? Jeremy L. Gaddis (Mar 11)
- Re: Dynamic IP log retention = 0? Alec Berry (Mar 11)
- RE: Dynamic IP log retention = 0? Jon Lewis (Mar 11)
- RE: Dynamic IP log retention = 0? Darden, Patrick S. (Mar 11)
- Re: Dynamic IP log retention = 0? Brett Charbeneau (Mar 11)
- Re: Dynamic IP log retention = 0? Marcus Reid (Mar 11)