P2P copyright issue

[ronanian]

We've just received a legal-looking complaint about a student sharing copyrighted content illegally via BitTorrent. I have a few concerns about our legal responsibility, what kind of Pandora's box we open with each possible response/action we take, and standing up for our students.

The complaint came from our ISP (and said they received a complaint but did not identify the complainer) and was only able to identify our outbound IP address on our student network, which is of course shared by all the students.

How have other college/university network administrators dealt with this problem?
How do you find the IP address on your private network that's sharing a specific file? If I use the BitTorrent tracker for the file in question I can easily find our internet-facing IP address but of course I already know that address...

[bossman]

Do you have a proxy server which the student network has to go through?
How do you have the firewall configured?

Do you allow all outbound ports on your firewall or are they directed through port 80?

If you allow all outbound ports then then the student who has been using BitTorrent to exchange files will be able to direct out through any port that he/she wishes.

How many workstations are used on the students network?

apologies for all the questions but scenario seems a little vague. :-)

[localzuk]

The uni I went to followed this rule for their network - P2P traffic was blocked and people hunted down if they tried to get around it. The extra burden of having to mess around with people's complaints was seen as not worth it.

[ronanian]

Those are some good questions...

No proxy server.
Firewall allows all outbound ports. Historically it has not been a problem but I guess that era is over.

There's about 1400 computers registered to use the student network. They are mostly the students' own personal computers.

I could start by blocking P2P-specific ports but aren't most P2P systems using encryption over TCP ports 80 and 443 nowadays anyway?

[Sylv3r]

Stick something like Snort :: Home Page on your network which will sniff and drop p2p packets.

[ronanian]

Can Snort handle encrypted traffic?

[mac_shinobi]

Can Snort handle encrypted traffic?

what about traffic thats routed through something like torr or http tunnel and the likes ?

[Sylv3r]

Snort can't do much with encrypted traffic and I would think theres very little chance of any application decrypting all traffic.

[pete]

You could have the snort box discover which encrypted traffic is _likely_ to be p2p / tor by looking at where the connection is going, but accuracy will be a problem. Run non-blocking snort initially so you get an idea of the traffic passing through and spend time tuning the sensor. If nothing else, it'll alert you to compromised machines on your network.

You may wish to look at PacketFence as well - PacketFence: Home

You could use a proxy to run a man-in-the-middle attack for SSL, but that assumes your clients automatically trust certs issued by your inhouse CA. Since the kids own their laptops (right?), that's unlikely to be seamless. Check the legality in your area - much of it hinges on an AUP stating you do this.

Do you have an AUP that the students / their parents sign? Does it have teeth? (i.e disciplinary measures taken if it's broken). Assuming you manage to track down the kid responsible, a good dressing down + bringing the parents in usually keeps their year group in check for up to 3 months (for that particular brand of misbehaviour).

[ronanian]

They do own their own computers.

I think our AUP merely says we can cut off access, no real teeth. However, I think we can probably make some noise and get some parents involved.

I might be able to try to download the file that was complained about and use Snort or a transparent proxy or something like that, or maybe even just Wireshark/other packet sniffer, to determine who's communicating with my downloader...sounds awfully complicated, though.

[srochford]

I think you've got to do something even if it's not 100% successful. Could you setup a proxy server which only allows http/https? It will be a pain for users (you'll either have to give them details of how to configure their browser to talk to the proxy or set up WPAD) but you can justify it by explaining that some people have been breaking the law and this is the result.

Once you start getting "cease and desist" letters I think you're leaving yourself wide open to prosecution if you don't show that you've tried to stop this going on.

Was it a film that was downloaded? I get the feeling that the big studios are checking for abuse coming from academic IPs because they know that there are often lots of people there who might be pirating stuff. We get students doing it here but because every IP is public and tracked back to the student it's pretty easy to find the guilty party and hang them publicly :-)

[ronanian]

Yeah, it was a film.

Checking my SonicWall for the largest bandwidth users, who are most likely the P2P culprits, I've found that they're using rogue IP addresses - it seems they're manually making up static IP addresses and ignoring our DHCP server (which includes an authentication mechanism before it assigns them a good DNS). I'm able to dig up the MAC addresses of those and block them at the firewall. I'm also able to use the MAC address to check for previous registrations with our DHCP server so I can see who they belong to. I'm hoping that they'll come to me asking why their connection isn't working anymore

We'll see where it goes from there. I really don't want to add the workload involved in heavy enforcement, making everyone use a proxy, etc; we're a relatively tiny IT department for the quantity of users and systems we support here.

[JJonas]

In the UK there was a firm sending out threatening letters accusing people of downloading gay porn and offering them the chance to settle out of court for about £1000 figuring most people would pay up rather than go to court they had quite a lot of complaints about their tactics.
Can they supply you with a copy of their evidence so you can track down the offender.

http://news.bbc.co.uk/newsbeat/hi/te...00/7766448.stm