Dynamic IP log retention = 0?

No, it's more comparable to the jerk who not only doesn't stay at home
with his cold, but actively walks around the workplace coughing and
sneezing without covering his mouth/nose with a kleenex, spraying people.

The reality is that it fails the "if everybody did this, would it be a
good thing" test. While some "B&D" is common sense on the receiving end,
this does not make it any more correct for the originating site to let it
keep happening. If every PC on the Internet (conservatively, let's
assume a billion devices that are sufficiently sophisticated that they
could be infected) were to send you a single packet per day, you'd be
seeing over 10,000pps. That should suggest that the behaviour is not
something to be encouraged.

My locking my doors does not mean it's okay for you to check if my door
is locked.

... JG

Just wondering but the knowledge I have of DHCP is that an IP address is
assigned to the same computer (or host) and will continue to do so until the
pool of IP's is exhausted. Once that occurs, a new request is parsed by
the DHCP server and the oldest non-renewed lease address is checked to see
if it is live. If no response occurs then the DHCP server assigns that IP
to the requesting host. It's much more efficient to write once and check
that then it is to write everytime.This is done to save resources on the
DHCP server not much unlike the cache on a DNS server. Every look up does
not travers the root servers and the auth server, only those that have
expired cached entries. Wouldn't it create a DOS against the DHCP server if
every host constantly required the server go through the aformentioned
process? It does whit in DNS. Change the expire to 2 and the ttl to 2 and
see what happens. This did happen for boxsports dot com (what rhymes with
box? not sure of the legalities around saying the name). An SA, while
trouble shooting, did just that and about 1 month later BOOM! crap hit the
fan. It appearedd as though our DNS auth servers were being DOS'd but all
requests were legit. The entry was not cached.

That said, unless Covad is constantly exhausting it's pool or they mandate
that after the lease expires to give a different IP a reverse lookup would
give you the hostname of the offender which should remain accurate for some
amount of time. No action on Covads part constitutes legal action on yoru

OK. So you get hit by You look up the PTR and get back

What did you gain here? You knew it was in a Covad /12 before, and that's
all you know after, and Covad *still* isn't stopping their customer's bad
behavior. After all, you didn't *really* care that the IP was assigned to
a computer belonging to Herman Munster, 1313 Mockingbird Lane. What you
actually *wanted* was for somebody (preferably Covad) to hand Herman a clue.

Um.... Aren't dsl addresses handed out over ipcp? So perhaps a bit more static then dhcp?

Yeah. I miss the days that you could fix Covad problems by calling Brent,
or by sending the attacker a Ping of Death :slight_smile:

In practice, of course, the chances are extremely high that
the attacker is a zombie pc whose owner is not aware
that it's infected, and they really need their ISP to
quarantine them somewhere until they can get it fixed.