Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Kind Of Logs Should ISPs Keep?

Posted by Cliff on from the stuff-to-think-about dept.

Effugas asks: "An engineer at a rather large ISP recently asked me a rather simple question that I didn't have a particularly good answer for: What logs should they be storing? He wasn't asking about the simple question of whether their own servers should be watched closely--that's obvious. He was asking about his routing infrastructure. I told him they of course musn't record the actual data being routed through their network; however, endpoint to endpoint route logs(since the establishment of those routes is the ISP's raison d'etre) did seem viable. But now, I'm not so sure--if there's one thing we learned from Kenneth Starr's subpeona of Lewinsky's book purchase records, it's that Barnes and Noble stored such records in the first place! But on the flip side, I've certainly had friends be harassed and threatened online, and turning a blind eye to everything but attacks directly against the network doesn't seem right either. So I ask, without passing judgement in either direction: What options does a network administrator have for retaining forensic evidence in case of abuse, which ones are ethically justified, and what are the actual router configurations which implement such ethical systems?"

9 of 176 comments (clear)

  1. You asked for it... by Trinition · · Score: 4
    Anyone, including ISPs, should always keep dry logs. The type of wood varies with personal preference. For example, Pine has a strong, well... piney odor -- especially when combusted.

    To help keep their logs dry, they should purchase a log rack, or simply arrange the logs on top of a makeshift support system so that the logs do not directly contact the ground.

    Moist logs tend to attract bugs and decompose much faster.

  2. logging should be kept down by Anonymous Coward · · Score: 4

    Logging in this country has gone way too far and is an abuse that cannot be permitted to progress any further. Not only does abuse of this cost many of us what they view as their birthright, but it also scares the hell out of those who haven't lost anything due to it yet. Sure, there are definitely some political and corporate interests who benefit by letting this sort of thing run rampant, but can we really afford it? And who's this world for, anyway -- the corporations or the people?

    And when this does spiral out of control, efforts to redress the wrongs that have been committed, no matter how good-intentioned or extensive, will never fully wipe out the harm that has been caused within the lifetimes of those who have really been hurt most. Once you go too far, you can never truly come back.

    So I would definitely urge keeping logging to an absolute minimum if you can't eliminate it entirely. If you can't really appreciate the wisdom of not logging, I strongly urge you to take a hike.

    And then, after you come back from your tromp through tree-lined trails, to reconsider. :)

  3. Crypto by Signal+11 · · Score: 5
    That depends. You could get in trouble for taking this advice, depending on what form of tyranny^H^H^H^Hgovernment you happen to live under...

    Personally, I would encrypt them all using public-private key crypto. The "public" key is what is used to feed the data into syslog, and the private key can be used to decrypt it if you need it. If your systems are physically or otherwise compromised, the attacker still cannot derive the private key as long as you maintain due diligence in maintaining the security of the logging host(s). This means you can log everything to your hearts content and not worry about privacy concerns, as much. Just make sure to put the standard disclaimers in your AUP.

    I suspect, however, that wasn't quite the answer you were looking for. Honestly, in order to compromise most people's privacy requires an ungodly large harddrive to store all that information. Simply monitoring a T1 with a packetsniffer doing decent filtering can easily trash a fast 30GB HDD. The security industry is replete with stories of how crackers were caught because their packet sniffers went amok trying to log everything, and crashed the system trying.

    I'd recommend logging the source and destination of mail, and when it was retrieved. If you are using RADIUS servers, log the times they signed on and off, and keep the system clock religiously on-time. Have the facilities to monitor each user (ie, be familiar with how to use a packetsniffer, and have a box on standby if you need to use it). A quick cheat would be to configure the RADIUS server to tell $SUSPECT connection to only use $MONITORED_IP and then tell the packetsniffer to dump everything from $MONITORED_IP to disk. It's simple, but it works.

    As far as advice on law enforcement.. it depends on your situation. If you have been compromised, it still may do you more harm than good to report it due to the administrative overhead involved in prosecuting them. Generally, however, they are quite helpful on getting you the information you need to prosecute. Don't expect them to get too involved though unless your SMTP logs say that a message was sent from l335h4x0r@yourisp.com to president@whitehouse.gov with a subject line mentioning what he's going to do with a box of cigars and a can of surgical lubricant. In that case, you probably won't have any choice but to cooperate. :)

    Hope this helps,

    1. Re:Crypto by WNight · · Score: 4

      You don't use the public key to encrypt the logs, you randomly generate a session key, encrypt the logs with that, then use the public key to encrypt the session key. Rotate keys every few minutes and don't leave them sitting around. Ditto with the logs. Have a seperate machine which only accepts one incoming connection, that which dumps logs onto it. Then the log holding machine has *no* idea of the way the log was encrypted, nor, if the logs are removed (via console) to another machine, preferably laptop, for examination, would it know how to decrypt the logs.

      Because the public key only encrypts a 128 bit (or whatever) session key every ten minutes or so, it's fairly quick, and two-way crypto is very quick, easily enough to dump logs through.

      If you ever implement a log system and don't want them modified, keep an ID # in each packet of logs, along with a MD5 hash of the previous packet of logs (including the previous-packet hash of the log file before it.) This way if a log is modified, the attacked has to change all logs after that point.

      Ideally you'd also have the log catcher dumping logs to a write-only media, like CDs. Preferably in a session-based way, so it didn't have to wait too long between getting logs and writing them.

  4. Logging by Syberghost · · Score: 4

    Assume they log everything, for purposes of guaranteeing your own privacy.

    Assume they log nothing, for purposes of maintaining your own documentation.

    Because the fact is, they probably don't log what you need them to log, and log all sorts of crap you wouldn't want them to.

    What they should log, IMHO, is everything they can, but only keep it for a couple of weeks.

    Having made use of everything from error logs to snooped IRC traffic to bust intruders on my systems, I recognize both the value of such logs, and the potential for abuse.

    --

  5. Avioding faked emails. by KahunaBurger · · Score: 4
    But on the flip side, I've certainly had friends be harassed and threatened online, and turning a blind eye to everything but attacks directly against the network doesn't seem right either.

    What options does a network administrator have for retaining forensic evidence in case of abuse

    This also ties into the carnivore question about faked emails. I've gotten some harrassing emails and considered forwarding them back to the sys admin of the jerk in question. However, realisticly, I could send anything I wanted with FWD in the title, and without digital signatures, they wouldn't know if I was forwarding a real email or not. But what kind of logs could they keep that they could confirm the authenticity of a message without invading the privacy of the user?

    Now, bearing in mind that I don't do this for a living, wouldn't it be possible to set up a logging program that ran a metric on each message that came through, based on date, to and from and message content, that could not be reversed to actually produce that data, but would have an astronomically improbable chance of being reproduced by a fake message?

    That way, the logs kept, just looking at them (even by the ISP) would tell them nothing but how many messages had gone to and fro from the whole ISP. But if someone came to them with an "incriminating" or "harrassing" email they could (at their discretion or under warrent) confirm the authenticity of that message actually having been sent by their service. If each ISP used their own metrics and kept them private, it would be very difficult for anyone to fake email evidence. This would be useful for both law enforcement/people being harrassed and the innocent but framed.

    So, is this kind of log possible, and would it satisfy privacy advocates, since you couldn't even tell "how aften and when used" for any given user?

    -Kahuna Burger

    --
    ...will work for Chick tracts...
  6. In the UK... by DrWiggy · · Score: 4

    The new Regulation of Investigatory Powers bill is due to be passed in the UK soon, which means that on request (i.e. a warrant issued by the Secretary of State is produced), an ISP must be able to intercept all traffic that a particular customer sends or receives. If you haven't got such a warrant when you intercept traffic coming from or destined to a UK citizen, then you are in breach of the Interception of Communications Act, and so you shouldn't be doing any logging at all.

    To be honest, I don't think the harm is in the logging - it's what is done with the logs. Disclosure to third parties is definitely illegal and unethical, but the use of this sort of data within an organisation can also be dubious. How much would your marketing department like to know about the 'real' (read 'secret') interests of all of your customers?

    I say you guys have got it pretty easy in the US, but at least we're now getting clear legislation (even if it is b0rked) saying what we can and can't do over here in the UK. To easily answer this question in the UK though, does require a few hours with a copy of the Data Protection Act, the Interception of Communications Act and the Regulation of Investigatory Powers bill. Even then, you're probably wrong.

    As far as we what we do is concerned (as an ISP) - we log enough for billing, and we have some machines running an IDS in promisc. mode to pick up scans, viruses, etc. going across the network. Apart from that, it's all pretty standard syslog-out-of-the-box.

    --

  7. Transparent Web proxies: are you being logged? by peterw · · Score: 5
    Last year, my ISP, without any announcement, began using a transparent Web proxy. Most of my outbound traffic to TCP port 80 gets re-routed through machines running some Inktomi transparent HTTP proxy software.

    Naturally, my ISP keeps logs for that traffic (Inktomi boasts that its Traffic Server can write many different log formats), in part to deal with abuse.

    As you might also expect, the privacy policy does not directly cover these logs. It makes promises about some very specific types of information, but does not make any general statements that obviously pertain to types of information not covered in the enumerated, specific types. Result: I think most lawyers would say my ISP could sell access to DoubleClick, the FBI, or anyone else.

    Checking your system

    So are you using a proxy, but don't know it? You can check pretty quickly (though I should warn you, while a positive/proxy result is conclusive, a negative/no-proxy result may be a result of the proxy configuration, as the systems can be set up to bypass the proxy for certain sites, or to only use the proxy for certain sites, etc.).

    Step 1: what's your address?
    Check your current address for whatever network adapter (ethernet card, PPP/dialup device, etc.). In Unix or Linux, something like '/sbin/ifconfig eth0' will do; in Windows 9x, run 'winipcfg'; in Windows NT, 'ipconfig'.

    Step 2: what address do web sites see?
    Go to a URL that will show you the environment variables passed to CGI scripts, like http://www.cgihost.com/cgi-bin/env.cgi or http://www.ualberta.ca/htbin/dumpenv.pl . Look at REMOTE_ADDR. Reload several times. Does it change? You might see some other proxy-specific variables like HTTP_CLIENT_IP and HTTP_VIA, depending on the proxy server's configuration.

    Step 3: interpreting the results
    If you ever see a REMOTE_ADDR value in Step 2 that doesn't match the local address from Step 1, yet you don't have a Manual or Automatic proxy configured in your browser, then congratulations, you're behind a transparent proxy, and should assume that all your Web traffic is being logged.

    http:// vs https:// For regular HTTP, there's a lot they can conceivably record. The URL. Your cookies. Where you came from. Etc. For https:// it's a bit better. All they can do is record where you connected to, and when. Even this information might be deemed valuable, e.g., someone frequently connecting to many banking sites probably isn't eligible for low income tax credits. https:// is somewhat like encrypting your email: they can't tell what you're doing, but they can tell who you're contacting.

    I've complained via email a few times, and received a couple polite emails from the technical staff. But nothing has changed in the official policy, so my ISP is still free to share my complete Web usage history with whomever they wish. Highest bidder? Most pushy government agency? I can't say.

    -Peter

  8. Re:Logs, none, incorrect by thesparkle · · Score: 5

    Maybe some of you have not worked at an ISP, but ISP's keeping logs is very important, if only to combat SPAM and other forms of abuse.

    These logs should include:

    * Radius logs - username, port, and time, (Caller ID or npanxx info if you can get it), and IP assignment.

    * SMTP logs - SMTP ID. Actual copies of emails would require too much space than available to any ISP.

    * NNTP logs - again ID information only (NNTP post ID, date, time, etc).

    * Accounting logs as relevant to specific devices - for instance, shell and web servers which allow for telnet/ssh access, ftp servers, etc. This is not spying, this is good system administration.

    * DNS - knowing about those lame delegations is a big help. Especially when your customers routinely register domain names with your name servers as authoritative but fail to alert you!

    * Most important, accounting logs for root level commands as executed by the system's administrators. This can be a sore spot with some admins, but logging into a machine as root or su'ing immediately to root after login does not present accurate data as to what the admins are doing on a box. Using sudo or one of the other packages and maintaining an adherence policy to its' use should be expected. (Yes, yes there are ways around it..).

    Most of these things are standard practices for any of you who have worked for an ISP. I could care less what people were doing online unless they were violating our TOS/AUP and generated complaints. At that point, we needed to know who was doing what in order to fufill our contractual obligations to all of our customers.