Re: Broadcast DOS Attacks

[Joe St Sauver <JOE () OREGON UOREGON EDU>]

Hi Ralph,

#Does anyone have any automated tools that would help id and quarantine
#any such computer?// The broadcast traffic is through the roof!!! :-(

Just to make sure I understand what you're seeing, the problematic traffic
you're seeing is internal (local, from your users' hosts), rather than
external in origin, correct?

Are you currently doing Netflow for your network? If not, you might want
to ask your staff to check out http://www.splintered.net/sw/flow-tools/
-- hot hosts should be pretty easy to routinely spot, or you might want
to also investigate Snort ( http://www.snort.org/ ) or Bro
( http://www.icir.org/vern/bro-info.html ) for some automated tools.

Another step that may be quite helpful (you may already be doing this)
would be to scan your own hosts for vulnerabilities using a tool such as
Nessus (see: http://www.nessus.org/ ).

I tend NOT to be a fan of sandbox-based quarantine systems simply because
in many cases the remediation process exceeds the ability of novice users
to execute, and it is often easy to get what I'd call "symptomatic relief"
but not a "full cure." (The bad news is that we're creeping increasingly
close to the day when nuke-and-pave (full re-installation following a
compromise) will be the only realistic option, particularly when a given
host may be multiply compromised)

Regards,

Joe St Sauver (joe () oregon uoregon edu)
University of Oregon Computing Center

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.