Fabio Pietrosanti (naif)
lists at infosecurity.ch
Mon Apr 9 18:22:27 UTC 2012
On 4/9/12 8:03 PM, Andreas Krey wrote:
> They don't have much more relevant logs than the usual provider (which
> only needs the IP address to be able to point to a specific user).
> The NAT is an interesting thing by itself: Usually, interested parties
> will only come up with an IP address to track down someone, and then the
> NATting provider has the problem that there are multiple users behind that
> addresse. Having logs of every NAT translation doesn't help much, because
> usually the interested party does not have the source port number used.
It help if the provider log all NAT translation.
The provider can tell to the LEA, given a specific target IP, that
"this/those user(s) established a connection to that target IP".
Typically it would be a single user, but even in case of many users,
traditional other criminal investigation/correlation will help LEA in
identifying the right user.
For example in Italy Fastweb (www.fastweb.it) fiber internet provider,
that have for end-user a big MAN with private ip address, do NAT
translation logging and LEA reporting when required.
More information about the tor-talk