Re: Broadcast DOS Attacks

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Hi Ralph,

Just to put in a plug for Nuke & Pave .. we have been requiring a reformat & reinstall for a while now.

I am using Netflow data to find compromised systems - we also have a system in place to throttle back a run away system 
(bandwidth limit) so that the traffic
does not affect the rest of the network.

I find that most scanning systems are part of a larger BOT network and I use the netflow data to find the Command & 
Control, then I take down all of the
systems on campus that are connecting to that C & C - they all get to reformat :-)

Just my 2 cents

Regards,
Joel Rosenblatt

Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Friday, October 15, 2004 9:29 AM -0700 Joe St Sauver <JOE () OREGON UOREGON EDU> wrote:

> Hi Ralph,
>
> # Does anyone have any automated tools that would help id and quarantine
> # any such computer?// The broadcast traffic is through the roof!!! :-(
>
> Just to make sure I understand what you're seeing, the problematic traffic
> you're seeing is internal (local, from your users' hosts), rather than
> external in origin, correct?
>
> Are you currently doing Netflow for your network? If not, you might want
> to ask your staff to check out http://www.splintered.net/sw/flow-tools/
> -- hot hosts should be pretty easy to routinely spot, or you might want
> to also investigate Snort ( http://www.snort.org/ ) or Bro
> ( http://www.icir.org/vern/bro-info.html ) for some automated tools.
>
> Another step that may be quite helpful (you may already be doing this)
> would be to scan your own hosts for vulnerabilities using a tool such as
> Nessus (see: http://www.nessus.org/ ).
>
> I tend NOT to be a fan of sandbox-based quarantine systems simply because
> in many cases the remediation process exceeds the ability of novice users
> to execute, and it is often easy to get what I'd call "symptomatic relief"
> but not a "full cure." (The bad news is that we're creeping increasingly
> close to the day when nuke-and-pave (full re-installation following a
> compromise) will be the only realistic option, particularly when a given
> host may be multiply compromised)
>
> Regards,
>
> Joe St Sauver (joe () oregon uoregon edu)
> University of Oregon Computing Center
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/groups/.



Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.