[unisog] another round of bogus DMCA notices

Stephen C Woods scw at seas.ucla.edu
Wed Nov 8 21:00:30 GMT 2006


  As a general case you should keep a list of IP + mac + last time this
combo was seen:

128.97.2.99 00:0d:56:12:4e:6e 200611081211  YYYYMMDDHHmm
128.97.2.99 00:14:38:9f:dc:41 200607101207

    Note: gathering IP/MAC pairs (sort -u is usefull here)
and process them hourly is probably sufficent.   It helps to have
a single router, otherwise you need to do some 'clever' filtering.
<scw>



On Wed, Nov 08, 2006 at 03:57:23PM -0500, George C. Russ wrote:
> arp cache on routers will tell you. keep a history. cattools.
> 
> George
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Dave Dittrich
> Sent: Tuesday, October 31, 2006 12:07 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] another round of bogus DMCA notices
> 
> Michael Holstein wrote:
> > I know this has happened several times in the past, but today I got a 
> > round of DMCA notices for non-existent IP addresses.
> > 
> > Is anybody saving these and their supporting evidence (that they're
> bogus)?
> 
> What do you mean by "bogus" or "non-existent?"  If the IP addresses
> are valid within your netblocks, but are just not active at the time
> you look (or you are just doing "ping IP-ADDRESS" to verify, I
> would assume some clever miscreant has simply decided to start
> doing short-lived IP aliasing, firewalling, or something else
> designed to make verification of piracy harder.  You may have
> to start logging traffic across your border to verify the claim.
> 
> -- 
> Dave Dittrich                          Information Assurance Researcher,
> dittrich at u.washington.edu              The iSchool
> http://staff.washington.edu/dittrich   University of Washington
> 
> PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
> Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 

-- 
-----
Stephen C. Woods; UCLA SEASnet; 2567 Boelter hall; LA CA 90095; (310)-825-8614
Unless otherwise noted these statements are my own, Not those of the 
University of California.                      Internet mail:scw at seas.ucla.edu


More information about the unisog mailing list