Brett Charbeneau wrote:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets.
Port scanning is rather common, and shouldn't be considered "attacking" -- unless it's taking a significant amount of bandwidth. The latter is a Denial of Service (DoS) attack, and should be reported as such. I understand that a library might have limited bandwidth. Often port scanning is followed by an actual attack, ssh attempts, etc. That's what should be reported.
... I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
Now that's just odd, and probably the "operator" at Covad simply doesn't have access to the logs. DHCP should be logged. In my experience, the usual practice is to keep the logs for 3 days, or until the log files roll over.
Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
While I applaud your taking security seriously, and your active monitoring of your resources, other folks might be handling huge numbers of Conficker, Mebroot, and Torpig infections these days. So, they might be rather busy. Are your library systems all clean? You don't seem to have your own ARIN allocation for wrl.org, so it's kinda hard to tell from here.... AS | IP | AS Name 4565 | 66.200.204.71 | MEGAPATH2-US - MegaPath Networks Inc.