Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

How one host may have led to campus internet outage

From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 5 Nov 2003 14:59:37 -0500
FYI and FWIW, the following DDoS scenario unfolded here last night,
the irony and elements of which may be useful in planning for
defensive and awareness measures.

An otherwise low-level activity which led to a multi-hour DDoS against
our campus net feeds.
"It only took one vulnerable machine..."

Scenario: One of our student's host gets worm (W32/Graps, known since
July) which permits remote control and IRC relaying.  This host was
then used yesterday to DoS (IRC nick change flood) an underground IRC
chat server (had no registered hostname). That server's chat
participants apparently chose to retaliate with DDoS (syn floods from
many hosts, many at .edu sites) aimed at our student's host,
effectively overloading our Packeteer and at least 2 internet feeds.
Some of the DDoS came via I2, since other EDU hosts were co-opted into
being relays for the attack.

Our IDS had noticed the machine's worm activity, and even saw it
conducting the IRC attack, but both these activities were at such a
low level they would not have typically floated to the top of an
already-full alert/response queue.

Blocking the IRC attack outbound would seem a reasonable measure,
except that it happened to be using 7000/UDP - the same as AFS uses.
Several campus units depend on inter-site AFS access.

Of course, finding and/or preventing the worm infection would have
forestalled the whole problem.  Regular use of antivirus by the
student would have easily remedied this problem before it became
significant.

Or, filtering these worm activities at the border could have provided
an extra layer of protection for the campus systems - anyone have any
good layer7 filtering shields to recommend?

--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------
  "...mind the gap"

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: