Educause Security Discussion mailing list archives
Re: Broadcast DOS Attacks
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Fri, 15 Oct 2004 12:42:36 -0400
Hi Ralph, Just to put in a plug for Nuke & Pave .. we have been requiring a reformat & reinstall for a while now. I am using Netflow data to find compromised systems - we also have a system in place to throttle back a run away system (bandwidth limit) so that the traffic does not affect the rest of the network. I find that most scanning systems are part of a larger BOT network and I use the netflow data to find the Command & Control, then I take down all of the systems on campus that are connecting to that C & C - they all get to reformat :-) Just my 2 cents Regards, Joel Rosenblatt Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Friday, October 15, 2004 9:29 AM -0700 Joe St Sauver <JOE () OREGON UOREGON EDU> wrote:
Hi Ralph, # Does anyone have any automated tools that would help id and quarantine # any such computer?// The broadcast traffic is through the roof!!! :-( Just to make sure I understand what you're seeing, the problematic traffic you're seeing is internal (local, from your users' hosts), rather than external in origin, correct? Are you currently doing Netflow for your network? If not, you might want to ask your staff to check out http://www.splintered.net/sw/flow-tools/ -- hot hosts should be pretty easy to routinely spot, or you might want to also investigate Snort ( http://www.snort.org/ ) or Bro ( http://www.icir.org/vern/bro-info.html ) for some automated tools. Another step that may be quite helpful (you may already be doing this) would be to scan your own hosts for vulnerabilities using a tool such as Nessus (see: http://www.nessus.org/ ). I tend NOT to be a fan of sandbox-based quarantine systems simply because in many cases the remediation process exceeds the ability of novice users to execute, and it is often easy to get what I'd call "symptomatic relief" but not a "full cure." (The bad news is that we're creeping increasingly close to the day when nuke-and-pave (full re-installation following a compromise) will be the only realistic option, particularly when a given host may be multiply compromised) Regards, Joe St Sauver (joe () oregon uoregon edu) University of Oregon Computing Center ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Broadcast DOS Attacks Ralph Fasano (Oct 15)
- <Possible follow-ups>
- Re: Broadcast DOS Attacks Joe St Sauver (Oct 15)
- Re: Broadcast DOS Attacks Joel Rosenblatt (Oct 15)
- Re: Broadcast DOS Attacks Wood, Anne M (wood) (Oct 15)
- Re: Broadcast DOS Attacks Tom Klimek (Oct 15)
- Re: Broadcast DOS Attacks Mark Poepping (Oct 16)