Scope: Procedure to follow if we receive an email from a publisher regarding a blocked IP address or range

Contact: Zhaneille Green or Abigail Wickes

Unit: Electronic Resources & Serials Acquisitions

Date last reviewed: 01 Aug 2023 

Date of next review:

Overview

Occasionally publishers will send an alert that an IP address or range has been blocked on their platform due to excessive use or unusual behavior.

Troubleshooting

• Check if IP address is EZproxy or LOCKSS IP; if so, explain to provider that this is legitimate use and ask them to unblock.
• If IP address is not EZproxy or LOCKSS IP, forward notification and accompanying audit log to Duke's IT Security Office (ITSO), attaching any available logs, and copying contact from publisher for any follow up from ITSO.
  • Ask if ITSO needs any additional information
  • Ask publisher if they use Cloudflare security software
  • Request audit log from publisher if it is not already included
  • Email boilerplate:

Hi ITSO,

 We received this notification from [Publisher] that they temporarily blocked our IP address [#####] due to excessive use. Please see log attached. Our contact from  [Publisher] is copied onto this email for further questions.

[Publisher], could you please confirm what software or vendor you use to detect this kind of activity, such as Cloudflare or Zscaler? We have had extensive problems with other content providers with this software generating false positives.

• Flag alert to ERM counterparts at professional schools
  • Law
  • Med Center Library
  • Ford
• Alert publisher that Duke's ITSO has been notified
• Field any additional questions from ITSO (copy an ITSO representative onto the correspondence with the publisher so they can discuss directly if questions get extensive)
• Alert publisher once ITSO has identified IP address and provided an explanation, and confirm address/range has been unblocked