[Starlink] dhcp/network usage logs (unrelated to bufferbloat)

[Mark Seiden <mis@seiden.com>]

(sorry if this is too far off-topic, but you are the sort of people who are likely to just know about this, and i can’t get any info out of
spacex, so far.)

i am looking into a possible PII breach (but certainly exceeding authorized access) coming from a couple 
starlink ip addresses. the addresses are shown as being in either starlink (denver) or starlink (dallas).

we actually believe these are coming from a place in kansas that might talk via either adjacent state, but i deeply do not
understand how the data flows between the, uh, dish, and customer equipment, and ground stations.   (the last ground 
station list i can find by web search is 3 years old.)

at the moment we believe this is usage coming from my client’s own starlink equipment, i.e. this is an attack from the inside.

so we asked starlink support for any sort of usage logs for the customer’s own device (particularly ip address assignments) 
for specific dates, and they so far refuse to provide such information other than, they say, to law enforcement, who is not yet
involved in the case.

it’s unusual, in my experience, for an ISP to refuse to provide a customer’s own historical usage data to that same customer.
has anyone had a similar experience of asking for their own ip address assignments and usage data and being turned down?

has anyone actually gotten dhcp address assignment logs from spacex and, if so  can you send me a few sample lines so i can
look at what they could provide?

does anyone know what other data starlink actually logs?   (presumably location, at least).

does anyone know what the retention period is?  (we are looking for 6 months of 2024 data).

(btw, my understand is that starlink uses cg-nat, and the logs we have of the abused service do not include port numbers, 
just ip addresses, sigh.)

thanks for any helpful info or pointers to Them That Might Know.

—
mark seiden