Network usage

["Niedens, Travis" <Travis_Niedens () REDLANDS EDU>]

All,

This is another question along the line of what we've been talking about
recently in regards to student traffic.  We use netflow data to identify
systems that are attacking the network and/or are using programs that
violate our AUP.  Once identified, we quarantine the system and notify
ResNet so they are aware of what is going on.  Recently we've decided to
take it up a notch and use TCP translation counts to see if students are
conducting the previously mentioned activities. Please keep in mind that we
use these methods to avoid the need of using sniffers. We are seeing systems
with anywhere from 500 to 1000+ translations.  What I am wondering is, has
anyone used this approach and if so, are there any valid (non p2p, adware,
spyware or virus) programs that use this amount of TCP translations? Also,
what do you set your TCP Connections / TCP Embryonic connections to?  We are
considering limits on both.

Thanks,

Travis Niedens
Network Manager
University of Redlands
 
Phone: (909) 748-6328
Fax:   (909) 793-2029
VoIP Phone: (909) 799-4778
VoIP Extension: 4778
 
"Defending the Network from Human Nature".. Cisco

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.