nanog mailing list archives

Re: Dynamic IP log retention = 0?

From: Neil <kngspook () gmail com>
Date: Sat, 14 Mar 2009 01:12:53 -0700

On Wed, Mar 11, 2009 at 6:34 AM, Brett Charbeneau <brett () wrl org> wrote:

       I've been nudging an operator at Covad about a handful of hosts from
his DHCP pool that have been attacking - relentlessly port scanning - our
assets. I've been informed by this individual that there's "no way" to
determine which customer had that address at the times I list in my logs -
even though these logs are sent within 48 hours of the incidents.
       The operator advised that I block the specific IP's that are
attacking us at my perimeter. When I mentioned the fact that blocking
individual addresses will only be as effective as the length of lease for
that DHCP pool I get the email equivalent of a shrug.
       "Well, maybe you want to ban our entire /15 at your perimeter..."
       I'm reluctant to ban over 65,000 hosts as my staff have colleagues
all over the continental US with whom they communicate regularly.
       I realize these are tough times and that large ISP's may trim abuse
team budgets before other things, but to have NO MECHANISM to audit who has
what address at any given time kinda blows my mind.
       Does one have to get to the level of a subpoena before abuse teams
pull out the tools they need to make such a determination? Or am I naive
enough to think port scans are as important to them as they are to me on the
receiving end?

I think you are being a little naive.  Port scans, while possibly used for
malicious ends, can very often be benign.  I've port scanned netblocks for
such trivia such as the IP of the printer which I forgot to scribble down.
(Naturally, this doesn't explain your situation of scanning from another
ISP, but you get the idea (I hope).)

As William pointed out, it's the things that follow that determine whether
someone's being bad.  To flag port-scans might be responsible, but I think
pursuing legal action over it would be the exact opposite.  Wait until
someone demonstrates true maliciousness before trying to punish them, rather
than bringing the heat merely because they've demonstrated the potential for
maliciousness.

This is almost akin to attacking someone because they're carrying a gun:
sure, the gun gives them the potential to do bad things, but it often enough
is innocent. (Political agendas aside...)

Current thread:

Re: Dynamic IP log retention = 0?, (continued)
- - - Re: Dynamic IP log retention = 0? Mark Andrews (Mar 12)
    - Re: Dynamic IP log retention = 0? Joe Greco (Mar 12)
    - Re: Dynamic IP log retention = 0? Martin Hannigan (Mar 12)
    - Re: Dynamic IP log retention = 0? Joe Greco (Mar 13)
    - Re: Dynamic IP log retention = 0? Bobby Mac (Mar 13)
    - Re: Dynamic IP log retention = 0? Valdis . Kletnieks (Mar 13)
    - Re: Dynamic IP log retention = 0? Bill Stewart (Mar 13)
    - Re: Dynamic IP log retention = 0? Charles (Mar 13)
    - Re: Dynamic IP log retention = 0? Rob Evans (Mar 12)
    - Re: Dynamic IP log retention = 0? JC Dill (Mar 12)
- Re: Dynamic IP log retention = 0? Neil (Mar 14)
  - Re: Dynamic IP log retention = 0? Bill Bogstad (Mar 14)
    - Re: Dynamic IP log retention = 0? Neil (Mar 14)
    - Re: Dynamic IP log retention = 0? Joe Greco (Mar 14)
    - Re: Dynamic IP log retention = 0? Jim Popovitch (Mar 14)
    - Re: Dynamic IP log retention = 0? Charles Wyble (Mar 14)
    - Re: Dynamic IP log retention = 0? Marshall Eubanks (Mar 15)
    - Re: Dynamic IP log retention = 0? William Allen Simpson (Mar 15)
    - Re: Dynamic IP log retention = 0? Martin Hannigan (Mar 15)
  - Re: Dynamic IP log retention = 0? Chris Adams (Mar 14)
    - Re: Dynamic IP log retention = 0? JC Dill (Mar 14)

(Thread continues...)