[unisog] another round of bogus DMCA notices

David Lundy dlundy at pacific.edu
Thu Nov 9 00:21:44 GMT 2006


All:
     I've thought about collecting information from CiscoWorks to keep
track of our DHCP assignments to do historical tracking, but have do not
have information on how to extract this information automatically on a
scheduled basis.  If someone else is doing scheduled data extraction
from CiscoWorks, I'd appreciate information on how you are doing this.

David Lundy


----
David Lundy
Acting IT Security Officer
University of the Pacific
Stockton, CA 95211
Email: dlundy at pacific.edu
Voice: 209-946-3951
Fax: 209-946-2898

>>> Stephen C Woods <scw at seas.ucla.edu> 11/08/06 1:00 PM >>>
  As a general case you should keep a list of IP + mac + last time
this
combo was seen:

128.97.2.99 00:0d:56:12:4e:6e 200611081211  YYYYMMDDHHmm
128.97.2.99 00:14:38:9f:dc:41 200607101207

    Note: gathering IP/MAC pairs (sort -u is usefull here)
and process them hourly is probably sufficent.   It helps to have
a single router, otherwise you need to do some 'clever' filtering.
<scw>



On Wed, Nov 08, 2006 at 03:57:23PM -0500, George C. Russ wrote:
> arp cache on routers will tell you. keep a history. cattools.
> 
> George
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org 
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Dave Dittrich
> Sent: Tuesday, October 31, 2006 12:07 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] another round of bogus DMCA notices
> 
> Michael Holstein wrote:
> > I know this has happened several times in the past, but today I got
a 
> > round of DMCA notices for non-existent IP addresses.
> > 
> > Is anybody saving these and their supporting evidence (that
they're
> bogus)?
> 
> What do you mean by "bogus" or "non-existent?"  If the IP addresses
> are valid within your netblocks, but are just not active at the time
> you look (or you are just doing "ping IP-ADDRESS" to verify, I
> would assume some clever miscreant has simply decided to start
> doing short-lived IP aliasing, firewalling, or something else
> designed to make verification of piracy harder.  You may have
> to start logging traffic across your border to verify the claim.
> 
> -- 
> Dave Dittrich                          Information Assurance
Researcher,
> dittrich at u.washington.edu              The iSchool
> http://staff.washington.edu/dittrich   University of Washington
> 
> PGP key      http://staff.washington.edu/dittrich/pgpkey.txt 
> Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org 
> https://lists.sans.org/mailman/listinfo/unisog 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org 
> https://lists.sans.org/mailman/listinfo/unisog 
> 

-- 
-----
Stephen C. Woods; UCLA SEASnet; 2567 Boelter hall; LA CA 90095;
(310)-825-8614
Unless otherwise noted these statements are my own, Not those of the 
University of California.                      Internet
mail:scw at seas.ucla.edu 
_______________________________________________
unisog mailing list
unisog at lists.dshield.org 
https://lists.sans.org/mailman/listinfo/unisog


More information about the unisog mailing list