Dynamic IP log retention = 0?

[Brett Charbeneau <brett () wrl org>]

	I've been nudging an operator at Covad about a handful of hosts from his 
DHCP pool that have been attacking - relentlessly port scanning - our assets. 
I've been informed by this individual that there's "no way" to determine which 
customer had that address at the times I list in my logs - even though these 
logs are sent within 48 hours of the incidents.
	The operator advised that I block the specific IP's that are attacking 
us at my perimeter. When I mentioned the fact that blocking individual addresses 
will only be as effective as the length of lease for that DHCP pool I get the 
email equivalent of a shrug.
        "Well, maybe you want to ban our entire /15 at your perimeter..."
        I'm reluctant to ban over 65,000 hosts as my staff have colleagues
all over the continental US with whom they communicate regularly.
	I realize these are tough times and that large ISP's may trim abuse team 
budgets before other things, but to have NO MECHANISM to audit who has what 
address at any given time kinda blows my mind.
	Does one have to get to the level of a subpoena before abuse teams pull 
out the tools they need to make such a determination? Or am I naive enough to 
think port scans are as important to them as they are to me on the receiving 
end?

--
********************************************************************
Brett Charbeneau, GSEC Gold, GCIH Gold
Network Administrator
Williamsburg Regional Library
7770 Croaker Road
Williamsburg, VA 23188-7064
(757)259-4044          www.wrl.org
(757)259-4079 (fax)    brett () wrl org
********************************************************************