It is vital within the university environment that the source of any abusive or malicious network traffic can easily be traced and isolated. Depending on the nature of the problem, it may be necessary to determine either the user or the computer responsible for particular traffic at a particular time. OxCERT will expect colleges and departments to be able to trace either upon request.

Reasons for requiring traceability include, but are not limited to, the following:
  • malicious network traffic (scanning, sending spam, communicating with known Command and Control system, etc
  • determining users affected by a security incident (e.g. users whose passwords have been exposed to a keylogger)
  • suspected access of illegal materials
  • alleged copyright infringement
  • violations of University IT regulations
  • troubleshooting
Note in particular that the prevelance of keylogger infections means that it is increasingly necessary to be able to determine who has used a known compromised system.

This document explains the procedures generally used in order to trace network abuse. It is the responsibility of each college and department to ensure that the necessary information is logged for users of their networks.

Sections in this document: