Educause Security Discussion mailing list archives
Re: HEOA Question
From: "Jacobson, Dick" <dick.jacobson () NDUS EDU>
Date: Mon, 31 Jan 2011 11:27:13 -0800
We handle the time differentials similarly. If the reported time does not show a connected user, and I can be assured that our server time is (and has been) accurate, and the network folks do not have anywhere else to check (netflow, other logs) then I will ask the reporting party to check their timestamps (and suggest they synch against one of the official time servers) since “I have no user connected to that IP number at that time.” I have been through this a few times with our network people, and recheck every now and then so, while I can’t be 100%, I am fairly certain that our people are doing due diligence before saying they can’t find anyone. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dexter Caldwell Sent: Monday, January 31, 2011 10:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HEOA Question I rescind, my prior (mis)statement, about the port number. It is included on more recent ones. It is the destination IP that is not not included. The port is just sometimes hard for me to correlate well. Also, recently I've gotten time stamps that were a day in the future even when I adjusted for time zones. Not sure where my brain was... earlier. Thanks for the corrections. D/C The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> writes: In the past, we have seen some notices without port numbers. If they happened to be on a NATted segment of the network I simply replied, at the direction of the campus network support, that we needed a port number to proceed. I don't think we got any of those returned for further consideration but subsequent takedown notices had the necessary information. I scanned, this morning, my outstanding notices and all of them I looked had the port information. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cal Frye Sent: Monday, January 31, 2011 10:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HEOA Question On 1/31/11 10:39 AM, Dexter Caldwell wrote:
This is a very difficult problem for a few reasons: The DMCA notices themselves include only source host on your network, time stamp and sometimes a protocol and filename. I don't think I ever see the destination, and certainly not the port or session number you'd need to decipher the NAT logs.
Not a destination address, no, but almost all of the ones I've seen recently do have a client port listed. We don't NAT, so I'm not certain this is the public-IP port visible on the connection or the private-IP port as reported by the P2P client, but it's there. I checked notices we received from MediaSentry, BayTSP, ESA, PeerMedia, and the RIAA...all list a port, address, protocol, filename, and timestamp. -- Best regards -- Cal Frye, Network Administrator, Oberlin College Mudd Library, x.56930 -- CIT will NEVER ask you for your password! www.calfrye.com<http://www.calfrye.com>, www.oberlin.edu/cit/<http://www.oberlin.edu/cit/> "Support the troops. . . . But don't force them to fight an immoral fight. That's like swearing allegiance to a gun without caring where it's aimed." -- Steven Weber.
Current thread:
- Re: HEOA Question, (continued)
- Re: HEOA Question Steve Worona (Feb 01)
- Re: HEOA Question Bulanda, Dave G (Jan 31)
- Re: HEOA Question Gioia, Matthew P. (Jan 31)
- Re: HEOA Question Bulanda, Dave G (Jan 31)
- Re: HEOA Question Harry E Flowers (flowers) (Feb 02)
- Re: HEOA Question Dave Inman (Feb 03)
- Re: HEOA Question Gioia, Matthew P. (Jan 31)
- Re: HEOA Question Cal Frye (Jan 31)
- Re: HEOA Question Jacobson, Dick (Jan 31)
- Re: HEOA Question Dexter Caldwell (Jan 31)
- Re: HEOA Question Jacobson, Dick (Jan 31)
- Re: HEOA Question Cal Frye (Jan 31)