Re: HEOA Question

["Jacobson, Dick" <dick.jacobson () NDUS EDU>]

We handle the time differentials similarly.
If the reported time does not show a connected user, and I can be assured that our server time is (and has been) 
accurate, and the network folks do not have anywhere else to check (netflow, other logs) then I will ask the reporting 
party to check their timestamps (and suggest they synch against one of the official time servers) since “I have no user 
connected to that IP number at that time.”

I have been through this a few times with our network people, and recheck every now and then so, while I can’t be 100%, 
I am fairly certain that our people are doing due diligence before saying they can’t find anyone.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dexter 
Caldwell
Sent: Monday, January 31, 2011 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HEOA Question

I rescind, my prior (mis)statement, about the port number.  It is included on more recent ones.  It is the destination 
IP that is not not included.  The port is just sometimes hard for me to correlate well.  Also, recently I've gotten 
time stamps that were a day in the future even when I adjusted for time zones. Not sure where my brain was... earlier.  
Thanks for the corrections.

D/C
The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> writes:
In the past, we have seen some notices without port numbers.  If they happened to be on a NATted segment of the network 
I simply replied, at the direction of the campus network support, that we needed a port number to proceed.  I don't 
think we got any of those returned for  further consideration but subsequent takedown notices had the necessary 
information.  I scanned, this morning, my outstanding notices and all of them I looked had the port information.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cal Frye
Sent: Monday, January 31, 2011 10:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HEOA Question

On 1/31/11 10:39 AM, Dexter Caldwell wrote:
> This is a very difficult problem for a few reasons:
>
> The DMCA notices themselves include only source host on your network,
> time stamp and sometimes a protocol and filename.  I don't think I
> ever see the destination, and certainly not the port or session number
> you'd need to decipher the NAT logs.

Not a destination address, no, but almost all of the ones I've seen recently do have a client port listed. We don't 
NAT, so I'm not certain this is the public-IP port visible on the connection or the private-IP port as reported by the 
P2P client, but it's there.

I checked notices we received from MediaSentry, BayTSP, ESA, PeerMedia, and the RIAA...all list a port, address, 
protocol, filename, and timestamp.

--
Best regards
-- Cal Frye, Network Administrator, Oberlin College
  Mudd Library, x.56930 -- CIT will NEVER ask you for your password!

  www.calfrye.com<http://www.calfrye.com>,  www.oberlin.edu/cit/<http://www.oberlin.edu/cit/>

"Support the troops. . . . But don't force them to fight an immoral fight. That's like swearing allegiance to a gun 
without caring where it's aimed." -- Steven Weber.