[112611] in North American Network Operators' Group
Dynamic IP log retention = 0?
daemon@ATHENA.MIT.EDU (Brett Charbeneau)
Wed Mar 11 09:34:34 2009
Date: Wed, 11 Mar 2009 09:34:18 -0400 (EDT)
From: Brett Charbeneau <brett@wrl.org>
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
I've been nudging an operator at Covad about a handful of hosts from his
DHCP pool that have been attacking - relentlessly port scanning - our assets.
I've been informed by this individual that there's "no way" to determine which
customer had that address at the times I list in my logs - even though these
logs are sent within 48 hours of the incidents.
The operator advised that I block the specific IP's that are attacking
us at my perimeter. When I mentioned the fact that blocking individual addresses
will only be as effective as the length of lease for that DHCP pool I get the
email equivalent of a shrug.
"Well, maybe you want to ban our entire /15 at your perimeter..."
I'm reluctant to ban over 65,000 hosts as my staff have colleagues
all over the continental US with whom they communicate regularly.
I realize these are tough times and that large ISP's may trim abuse team
budgets before other things, but to have NO MECHANISM to audit who has what
address at any given time kinda blows my mind.
Does one have to get to the level of a subpoena before abuse teams pull
out the tools they need to make such a determination? Or am I naive enough to
think port scans are as important to them as they are to me on the receiving
end?
--
********************************************************************
Brett Charbeneau, GSEC Gold, GCIH Gold
Network Administrator
Williamsburg Regional Library
7770 Croaker Road
Williamsburg, VA 23188-7064
(757)259-4044 www.wrl.org
(757)259-4079 (fax) brett@wrl.org
********************************************************************
