[unisog] another round of bogus DMCA notices
Stephen John Smoogen
smooge at unm.edu
Tue Oct 31 17:48:50 GMT 2006
Michael Holstein wrote:
>> What do you mean by "bogus" or "non-existent?" If the IP addresses
>> are valid within your netblocks, but are just not active at the time
>> you look (or you are just doing "ping IP-ADDRESS" to verify, I
>> would assume some clever miscreant has simply decided to start
>> doing short-lived IP aliasing, firewalling, or something else
>> designed to make verification of piracy harder. You may have
>> to start logging traffic across your border to verify the claim.
> I do log all the traffic (pix doing debug logging + argus behind that).
> I also log all the DHCP traffic, and Ciscoworks polls the switches
> several times a day, all of which gets put into a database.
> On the day in question (as well as several before and after) I have no
> argus records of any successful connections in/out (just a few inbound
> TIM missses on ports that are open into that net but didn't find the
> host). I also don't have any traffic on the PIX, except for a bunch of
> UDP denies (which interestingly, do reflect eDonkey traffic -- the
> protocol specified in the complaint).
> Since I already know that Mediasentry (et.al) do not ever actually
> connect to the host to verify it's really presenting a copy of the
> purported pirate work -- they just scrape the directory -- I assume some
> clever person (maybe the same folks that seed bad files) is poisoning
> the directory with bad information.
A while ago I worked at an organization that was getting tons of DMCA
responses for networks they owned, but were darknets. Our network
engineers were helpful in showing that the data didn't originate from us
(we logged all packets leaving and entering the space). This however
didn't stop the deluge and the eventual lawyer notices, so the network
engineer went on a fishing expedition and found that an ISP in
California (I think) seemed to be accepting netroutes to dark-space.
Basically some pirate organization was feeding them RIP's saying that
you could get to 188.8.131.52/255.255.255.0 (and a ton of other places)
through this spot. They would then feed their cam-corded (or
direct-copied) first run movies out through this to the various p2p
networks. Only people on the ISP and peered networks could get to it,
but they would then relay the info out from there. It turned out that
the sentry company was also on a peered ISP and was able to scrape the data.
Stephen Smoogen -- ITS/Linux Administrator
MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001
Phone: (505) 277-7343 Email: smooge at unm.edu
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the unisog