How did a simple thread about network scanning get so derailed....we have people talking about the legal implications of port scanning, hiring lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of NAT as a security policy, etc. Wow just wow. I'll try to answer you in a more common sense approach as some have tried to do. First of all no network operator has to hand over their logs or user information over to you just because you want to know. You can ask their abuse department to intervene but that is all up to that department. They may have told you they don't have them just because they didn't want you pestering them anymore or they may really not have them, who knows. Don't try to judge them but try to fix this very minute problem in a way you can control. The ways you can control this are simple. 1) Block all of covad (not very smart) 2) Block all of covad except for essential ports (25,80,443 or whatever other common ports they may need) 3) Setup a perimeter protection that blocks hosts that are scanning you and removes them after a determined amount of time This trying to shun people in public because they aren't following your guide to network administration probably isn't going to work very well for you. If 65000 covad addresses were ddosing you then I would agree that you have a legitimate gripe but focus on what you can control and not what you believe others should be doing. -- Ross ross [at] dillio.net
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug. "Well, maybe you want to ban our entire /15 at your perimeter..." I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly. I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
-- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ********************************************************************