Educause Security Discussion mailing list archives

Re: HEOA Question

From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Mon, 31 Jan 2011 11:57:40 -0500

I rescind, my prior (mis)statement, about the port number.  It is included
on more recent ones.  It is the destination IP that is not not included. 
The port is just sometimes hard for me to correlate well.  Also, recently
I've gotten time stamps that were a day in the future even when I adjusted
for time zones. Not sure where my brain was... earlier.  Thanks for the
corrections.

D/C
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:

In the past, we have seen some notices without port numbers.  If they
happened to be on a NATted segment of the network I simply replied, at
the direction of the campus network support, that we needed a port number
to proceed.  I don't think we got any of those returned for  further
consideration but subsequent takedown notices had the necessary
information.  I scanned, this morning, my outstanding notices and all of
them I looked had the port information.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cal Frye
Sent: Monday, January 31, 2011 10:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HEOA Question

On 1/31/11 10:39 AM, Dexter Caldwell wrote:

This is a very difficult problem for a few reasons:

The DMCA notices themselves include only source host on your network, 
time stamp and sometimes a protocol and filename.  I don't think I 
ever see the destination, and certainly not the port or session number 
you'd need to decipher the NAT logs.


Not a destination address, no, but almost all of the ones I've seen
recently do have a client port listed. We don't NAT, so I'm not certain
this is the public-IP port visible on the connection or the private-IP
port as reported by the P2P client, but it's there.

I checked notices we received from MediaSentry, BayTSP, ESA, PeerMedia,
and the RIAA...all list a port, address, protocol, filename, and
timestamp.

--
Best regards
-- Cal Frye, Network Administrator, Oberlin College
  Mudd Library, x.56930 -- CIT will NEVER ask you for your password!

  www.calfrye.com,  www.oberlin.edu/cit/

"Support the troops. . . . But don't force them to fight an immoral
fight. That's like swearing allegiance to a gun without caring where it's
aimed." -- Steven Weber.

Current thread:

Re: HEOA Question, (continued)
- - Re: HEOA Question SCHALIP, MICHAEL (Jan 31)
    - Re: HEOA Question Steve Worona (Feb 01)
- Re: HEOA Question Bulanda, Dave G (Jan 31)
  - Re: HEOA Question Gioia, Matthew P. (Jan 31)
    - Re: HEOA Question Bulanda, Dave G (Jan 31)
    - Re: HEOA Question Harry E Flowers (flowers) (Feb 02)
    - Re: HEOA Question Dave Inman (Feb 03)
- Re: HEOA Question Dexter Caldwell (Jan 31)
  - Re: HEOA Question Cal Frye (Jan 31)
    - Re: HEOA Question Jacobson, Dick (Jan 31)
    - Re: HEOA Question Dexter Caldwell (Jan 31)
    - Re: HEOA Question Jacobson, Dick (Jan 31)
    - Re: HEOA Question Cal Frye (Jan 31)
- Re: HEOA Question Tracy Mitrano (Jan 31)
- Re: HEOA Question Gibson, Nathan J. (HSC) (Jan 31)
- Re: HEOA Question William C. Moore (Feb 01)