Educause Security Discussion mailing list archives
Re: Broadcast DOS Attacks
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Fri, 15 Oct 2004 09:29:36 -0700
Hi Ralph, #Does anyone have any automated tools that would help id and quarantine #any such computer?// The broadcast traffic is through the roof!!! :-( Just to make sure I understand what you're seeing, the problematic traffic you're seeing is internal (local, from your users' hosts), rather than external in origin, correct? Are you currently doing Netflow for your network? If not, you might want to ask your staff to check out http://www.splintered.net/sw/flow-tools/ -- hot hosts should be pretty easy to routinely spot, or you might want to also investigate Snort ( http://www.snort.org/ ) or Bro ( http://www.icir.org/vern/bro-info.html ) for some automated tools. Another step that may be quite helpful (you may already be doing this) would be to scan your own hosts for vulnerabilities using a tool such as Nessus (see: http://www.nessus.org/ ). I tend NOT to be a fan of sandbox-based quarantine systems simply because in many cases the remediation process exceeds the ability of novice users to execute, and it is often easy to get what I'd call "symptomatic relief" but not a "full cure." (The bad news is that we're creeping increasingly close to the day when nuke-and-pave (full re-installation following a compromise) will be the only realistic option, particularly when a given host may be multiply compromised) Regards, Joe St Sauver (joe () oregon uoregon edu) University of Oregon Computing Center ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Broadcast DOS Attacks Ralph Fasano (Oct 15)
- <Possible follow-ups>
- Re: Broadcast DOS Attacks Joe St Sauver (Oct 15)
- Re: Broadcast DOS Attacks Joel Rosenblatt (Oct 15)
- Re: Broadcast DOS Attacks Wood, Anne M (wood) (Oct 15)
- Re: Broadcast DOS Attacks Tom Klimek (Oct 15)
- Re: Broadcast DOS Attacks Mark Poepping (Oct 16)