[unisog] Bogus DMCA complaints from ESA
kevin_amorin@harvard.edu
kevin_amorin at harvard.edu
Tue May 9 00:12:15 GMT 2006
We use PacketFence on our network to track MAC/IP/User mappings.
PacketFence is a captive portal that registers MAC addresses to student ID
and keeps a log of ARP entries which you can query by timestamp. We also
cross reference this data with QRadar/POP/IMAP/DHCP to further verify we
have the correct user.
Adding to the list, we also received a bogus DMCA complaint today.
Kevin Amorin, CISSP
Sr. Security & Network Engineer
KAmorin at Harvard.edu
JFK School of Government
Harvard University
unisog-bounces at lists.sans.org wrote on 05/08/2006 05:12:38 PM:
> On Mon, 08 May 2006 15:08:24 CDT, "Young, Beth A." said:
>
> > They were looking at alleged eDonkey trading but the IP they listed is
> > not in use anywhere on our network.
>
> When people are saying "the IP is not in use", what criteria are they
> using to verify it?
>
> If it's in an unrouted subnet, it's a no-brainer.
>
> If it's an address that isn't allocated on a live subnet, it gets more
> interesting. I've seen more than one piece of malware just pick an
> idle IP address, without asking the DHCP server or verifying that it's
> in the DNS or any of the other usual checks...
>
> We have netflow data and dumps of switch tables to show what ARP-IP
> mappings were in use - what do other people have?
> [attachment "atth7ezs.dat" deleted by Kevin Amorin/FS/KSG]
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
More information about the unisog
mailing list