Educause Security Discussion mailing list archives
How one host may have led to campus internet outage
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 5 Nov 2003 14:59:37 -0500
FYI and FWIW, the following DDoS scenario unfolded here last night, the irony and elements of which may be useful in planning for defensive and awareness measures. An otherwise low-level activity which led to a multi-hour DDoS against our campus net feeds. "It only took one vulnerable machine..." Scenario: One of our student's host gets worm (W32/Graps, known since July) which permits remote control and IRC relaying. This host was then used yesterday to DoS (IRC nick change flood) an underground IRC chat server (had no registered hostname). That server's chat participants apparently chose to retaliate with DDoS (syn floods from many hosts, many at .edu sites) aimed at our student's host, effectively overloading our Packeteer and at least 2 internet feeds. Some of the DDoS came via I2, since other EDU hosts were co-opted into being relays for the attack. Our IDS had noticed the machine's worm activity, and even saw it conducting the IRC attack, but both these activities were at such a low level they would not have typically floated to the top of an already-full alert/response queue. Blocking the IRC attack outbound would seem a reasonable measure, except that it happened to be using 7000/UDP - the same as AFS uses. Several campus units depend on inter-site AFS access. Of course, finding and/or preventing the worm infection would have forestalled the whole problem. Regular use of antivirus by the student would have easily remedied this problem before it became significant. Or, filtering these worm activities at the border could have provided an extra layer of protection for the campus systems - anyone have any good layer7 filtering shields to recommend? -- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ "...mind the gap" ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- How one host may have led to campus internet outage Gary Dobbins (Nov 05)