Tracking the Corporate Maze

This is a great little article from a security manager of a big company who traces down an illegally distributed movie file after the company has received a letter from the MPAA. It reads like an investigative story and describes all the techniques used to get from 6,000 desktops that use a single public IP adress to the one that contains the movie.

The outset:

[B]efore we could take reasonable measures, we needed to know which of our roughly 6,000 internal desktops was involved. The problem is that all of them appear to the public as that one IP address cited by the MPAA. That's because we use RFC 1918-compliant IP addresses via our DHCP servers. These are private IP addresses, reserved for internally routed devices. When these internal resources communicate with an outside entity, their IP addresses are translated to a single publicly addressable IP address.

To make matters worse, our DHCP leases expire every 48 hours, meaning that when those internal IP addresses expire every couple of days, most are likely assigned to someone else. We keep logs of IP address assignments, but not for very long, since they take up a lot of disk space. And by the time the MPAA's letter made it through the postal service and our mailroom and was delivered to the right department, several days had gone by.